[Snort-devel] [Snort-Users] help reporting using unix socket (unsock)

Joel Esler joel.esler at ...3080...
Wed Sep 7 10:25:24 EDT 2011


Copying Snort devel on this.

Joel

On Sep 7, 2011, at 9:48 AM, yamahabob wrote:

> I'm wanting to report alerts through a socket using unsock, but I
> can't seem to get the alerts to go through. I opened a socket using a
> Perl script as follows:
> 
> use strict; $|++;
> use IO::Socket;
> my $socketfile = "/dev/snort_alert";
> unlink $socketfile;
> my $data;
> my $server = IO::Socket::UNIX->new(
>        Local => $socketfile,
>        Type      => SOCK_STREAM,
>        Listen    => 100 ) or die $!;
> $server->autoflush(1);
> while ( my $connection = $server->accept() ) {
>        my $data= <$connection>;
>        print $data, $/;
>    }
> }
> 
> First, I understand all I will see is garbage because I'm not using
> the specific packets format, but I'm just testing to see if data is
> making it through.
> 
> It opens the file "/dev/snort_alert" as the documentation says but
> don't appear to be getting alerts sent it to. I'm running snort
> using:
> /usr/local/snort/bin/snort -A unsock -c /usr/local/snort/etc/
> snort.conf -i eth1
> If I run another Perl script to send data to /dev/snort_alert, the
> data prints to screen as the sever code is supposed to do, but not
> with any alerts.
> Ideas?
> Thanks in advance
> 
> -- 
> To post to this group, send email to snortusers at ...3154...
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list