[Snort-devel] SpoAlertUnixSock

Dirk Geschke Dirk_Geschke at ...802...
Thu Sep 6 06:08:03 EDT 2001


> > I think a better way would be to change the 'if' statement to
> > 
> >   if (p && p->iph) { ...
> > 
> yup.. a bit brain-damaged code indeed. :) Fixed. :-p


> > BTW: I think an extension of the struct Alerpkt by the Event structure
> > would be a nice idea. This way the event could be part of the alerpkt
> > and be written to the socket too. This gives the ability to check things
> > like the priority within the socket server.
> > 
> Yup. Committed. :) Just haven't seen many people using unix socket
> feature until recent times, so the code hasn't been maintained much :)

I was looking for a way to do a separate alerting beside logging to a
central sql server. With a simple perl script as socket server I am able
to look for special pattern or things like the event.priority and can start
different alert schemes...

It is also a good idea to add the event struct before the packet. The 
packte contains a full ehternet packet of size 1514 byes. This is not
on a 4 byte boundary so some compilers add two additional bytes at the
end of the structure. Simply appending the event to the alertpkt results
in a misfit of two bytes...


| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |

More information about the Snort-devel mailing list