[Snort-devel] Information Request about snort unix socket

Giancarlo Capone giancarlo.capone at ...398...
Sun Oct 26 07:16:41 EDT 2014


Good morning to all of you,
I’m an Italian student, and I’ve successfully installed snort as NIDS on an OpenSuse Virtual Machine. 

Now I’m trying to make snort printing alerts on unix-socket. I’ve firstly tried a perl script that listens to the unix socket created by snort: it works fine, but I’m only able to catch the “msg” I’ve written in the rule, but I’m not able to catch other info about the data packet itself. For instance I’d like to get ip source address and destination, as many other info. 

I’ve read the C code provided in the README.UNSOCK file, but when I try to compile it, there is a problem because, obviously, the compiler doesn’t find the snort.h file. Can you give any suggestion about how to resolve this issue? I’ve tried to find this file in snort folders, but unsuccessfully. 

I’d like also to ask you another question, because I don’t also understand where in the C code it starts listening to the unix socket. In perl code (that I’ve written at the bottom of this email) I use the following code :”Local => "$ENV{HOME}/snort_alert”)” to define the location of the unix socket I want to listen to.

I thank you in advance, and I’m sorry if my English is not so good.

Have a nice day, 
Giancarlo Capone.

PS. I write here the perl script I’ve found on internet: 

#!/usr/bin/perl
# Include the socket libraries
use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.
$TEMPLATE = "A256 A*”;

# Release the socket if it already exists
unlink "$ENV{HOME}/snort_alert”;

# In case of user termination - exit gracefully.
$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
                 Local => "$ENV{HOME}/snort_alert”)
                 or die "Socket: $@“;

  print STDOUT "Socket Opened ... \n”;

# Loop receiving data from the socket, pulling out the
# alert name and printing it.
my $data;

  while ( true ) {
  print STDOUT "\n \n \n Before receive rcv... \n”;
      recv($client,$data,1024,0);
      @FIELDS = unpack($TEMPLATE, $data);
      # print "@FIELDS \n”;
	print "@FIELDS[0] \n”;
  }

  # At termination close up the socket again.
  END {unlink "$ENV{HOME}/snort_alert";}





More information about the Snort-devel mailing list