[Snort-devel] unix sockets

Phil Wood cpw at ...86...
Wed Sep 26 14:19:03 EDT 2001


Folks,

Two related things:

1. I have attached a diff which allows the following config's to work:
   a. output alert_unixsock: $SOCKET_FILE
   b. 
      ruletype redalert
      {
        type alert
        output alert_unixsock: /tmp/socket  
      }
   c. output alert_unixsock: (defaults to how it worked in the past, except
      in the past OpenAlertSock was called twice.)

2. If I replace /tmp/socket with $SOCKET_FILE in the ruletype (which is
   initialized to /tmp/socket) the variable is not expanded, and snort
   tries to "connect" to '$SOCKET_FILE'.

   It seems to me that it would be nice if variables could be used within
   a ruletype definition.

I've incorporated the above in the snort we are running here.  I vote
that it be incorporated into snort cvs.

Thanks,

-- 
Phil Wood, cpw at ...86...

-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
--- snort/snort.c	Tue Sep 25 21:10:20 2001
+++ snort+/snort.c	Wed Sep 26 20:37:42 2001
@@ -396,8 +396,6 @@
 
                 case ALERT_UNSOCK:
                     AddFuncToOutputList(SpoAlertUnixSock, NT_OUTPUT_ALERT, NULL);
-                    OpenAlertSock();
-
                     break;
 
                 case ALERT_STDOUT:
--- snort/log.c	Tue Sep 25 19:54:47 2001
+++ snort+/log.c	Wed Sep 26 20:37:42 2001
@@ -592,9 +592,8 @@
  *
  * Returns: void function
  */
-void OpenAlertSock()
+void OpenAlertSock( char *srv )
 {
-    char *srv = UNSOCK_FILE;
 
     if(access(srv, W_OK))
     {
--- snort/spo_alert_unixsock.c	Tue Sep 25 19:54:49 2001
+++ snort+/spo_alert_unixsock.c	Wed Sep 26 20:37:42 2001
@@ -28,6 +28,7 @@
  */
 
 /* output plugin header file */
+#define DEBUG
 #include "spo_alert_unixsock.h"
 
 /* external globals from rules.c */
@@ -104,11 +105,20 @@
  */
 void ParseAlertUnixSockArgs(char *args)
 {
+    char *srv = UNSOCK_FILE;
+
 #ifdef DEBUG
     printf("ParseAlertUnixSockArgs: %s\n", args);
 #endif
     /* eventually we may support more than one socket */
-    OpenAlertSock();
+    if (!args || *args == '\0')
+    {
+    	OpenAlertSock (srv);
+    }
+    else
+    {
+        OpenAlertSock(args);
+    }
 }
 
 /****************************************************************************
@@ -181,8 +191,9 @@
 
 
     if(sendto(alertsd,(const void *)&alertpkt,sizeof(Alertpkt),
-              0,(struct sockaddr *)&alertaddr,sizeof(alertaddr))==-1)
+              0,(struct sockaddr *)&alertaddr,SUN_LEN(&alertaddr))==-1)
     {
+	    fprintf (stderr, "sendto error %s\n", strerror(errno));
         /* whatever we do to sign that some alerts could be missed */
     }
 


More information about the Snort-devel mailing list