[Snort-devel] Patch to have unified2 outputs for multiple snort instances

Brad Tilley brad at ...3359...
Thu Feb 14 11:02:16 EST 2013


We use one main snort.conf and include it like this in interface specific files (snort.eth1.conf, snort.eth2.conf), etc:

---
include snort.conf
preprocessor perfmonitor: time 300 file /var/log/snort/snort.eth1.stats pktcnt 10000
output unified2: filename snort.eth1.log, limit 128, mpls_event_types, vlan_event_types
---

Notice the perfmonitor preprocessor as well. If you want multiple unified2 output files from *one* snort.conf, then would you not want multiple perfmonitor files as well? Why patch this just for output? 

I rather like the approach of placing the common directives in one snort.conf and including that in a dedicated interface conf file (I think other programmers grok that approach to things as well), but that's just me.  

Just my thoughts,

Brad

On Thu, Feb 14, 2013 at 04:26:27PM +0100, Guido Hungerbuehler wrote:
> Hi
> 
> I just wrote a patch which allows multiple snort instances to run in
> parallel. With this patch it is possible to only have one config
> file and still the unified2 output is directed to multiple files,
> each with the instance identifier.
> 
> Just use the -G argument to specify the instance id.
> 
> cheers
> guido
> 

> diff -rupN snort294_orig/src/output-plugins/spo_unified2.c snort294_patched/src/output-plugins/spo_unified2.c
> --- snort294_orig/src/output-plugins/spo_unified2.c	2012-09-21 02:09:14.000000000 +0200
> +++ snort294_patched/src/output-plugins/spo_unified2.c	2013-02-14 15:32:57.000000000 +0100
> @@ -298,7 +298,6 @@ static void Unified2InitFile(Unified2Con
>      }
>  
>      config->timestamp = (uint32_t)time(NULL);
> -
>      if (!config->nostamp)
>      {
>          if (SnortSnprintf(filepath, sizeof(filepath), "%s.%u",
> @@ -307,14 +306,26 @@ static void Unified2InitFile(Unified2Con
>              FatalError("%s(%d) Failed to copy unified2 file path.\n",
>                         __FILE__, __LINE__);
>          }
> -
> +        
>          fname_ptr = filepath;
>      }
>      else
>      {
>          fname_ptr = config->filepath;
>      }
> -
> +    
> +    /* If a snort instance id is given, we append it to the filename */
> +    if (snort_conf->instance_id < 0)
> +    {
> +        fname_ptr = config->filepath;
> +    }
> +    else
> +    {
> +        SnortSnprintf(filepath, sizeof(filepath), "%s_%u",
> +                      fname_ptr, snort_conf->instance_id);
> +        fname_ptr = filepath;
> +    }
> +    
>      if ((config->stream = fopen(fname_ptr, "wb")) == NULL)
>      {
>          FatalError("%s(%d) Could not open %s: %s\n",
> diff -rupN snort294_orig/src/snort.c snort294_patched/src/snort.c
> --- snort294_orig/src/snort.c	2012-10-30 22:36:04.000000000 +0100
> +++ snort294_patched/src/snort.c	2013-02-14 15:32:58.000000000 +0100
> @@ -2272,10 +2272,12 @@ static void ParseCmdLine(int argc, char
>                      FatalError("Snort log identifier invalid: %s.  It must "
>                                 "be between 0 and %u.\n", optarg, UINT16_MAX);
>                  }
> -
> +                
> +                /* define the instance id */
> +                sc->instance_id = sc->event_log_id;
> +                
>                  /* Forms upper 2 bytes.  Lower two bytes are the event id */
>                  sc->event_log_id <<= 16;
> -
>                  break;
>  
>              case 'h':
> @@ -3715,6 +3717,9 @@ SnortConfig * SnortConfNew(void)
>       * chown() use this later, -1 means no change to user_id/group_id*/
>      sc->user_id = -1;
>      sc->group_id = -1;
> +    
> +    /* the running snort instance */
> +    sc->instance_id = -1;
>  
>      sc->checksum_flags = CHECKSUM_FLAG__ALL;
>      sc->tagged_packet_limit = 256;
> @@ -4154,6 +4159,7 @@ static SnortConfig * MergeSnortConfs(Sno
>      }
>  
>      config_file->event_log_id = cmd_line->event_log_id;
> +    config_file->instance_id = cmd_line->instance_id;
>  
>      if (cmd_line->dynamic_rules_path != NULL)
>      {
> diff -rupN snort294_orig/src/snort.h snort294_patched/src/snort.h
> --- snort294_orig/src/snort.h	2012-10-30 22:36:05.000000000 +0100
> +++ snort294_patched/src/snort.h	2013-02-14 11:45:49.000000000 +0100
> @@ -632,7 +632,8 @@ typedef struct _SnortConfig
>      int checksum_drop_flags;
>      int checksum_drop_flags_modified;
>  
> -    uint32_t event_log_id;      /* -G */
> +    uint32_t event_log_id;      /* -G the shifted number */
> +    uint32_t instance_id;       /* -G the given raw number */
>      int pkt_snaplen;
>      int64_t pkt_cnt;            /* -n */
>  

> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb

> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!


-- 

Brad Tilley
16 Systems, LLC
P.O. Box 356
Blacksburg, VA
24063




More information about the Snort-devel mailing list