[Snort-users] RE: How to use -A unsock option

Sean C Doherty seand at ...232...
Sun Aug 6 17:31:43 EDT 2000


Just trying my question again. (see below)  Perhaps I should not have
mentioned the Win98 word (:


I am running snort on win32 because I don't want to have to "dumb down" a
Linux box to just be a snort IDS appliance with no other services.  Snort
can be pretty useful on win32 when used with zonealarm.exe  from
www.zonelabs.com  for securing the win32 machine, and a simple VB "alert.ids
file monitor" that I wrote that uses smtp to notify me of new alerts by
pager,  ice or cell phone via email.  I am considering adding an ability to
the application to trigger a "windump" (tcpdump for win32 which uses the
same packet driver as snort) on a session based on the IDS number of the
alert and the src and dst of the session

Rather than monitoring the file "alert.ids" for changes, I would prefer to
be able to have my VB application listen to snort using the --unsock option
if I knew how to implement it.

Sorry for asking the same question a second time, I have really spent a lot
of time searching the web and various doc files for the answer.

Again, my compliments to the developers of snort, and also for providing the
win32 version.


Sean D

-----Original Message-----
Sent: Tuesday, August 01, 2000 9:25 PM
To: Snort-Users
Subject: How to use -A unsock option

Hi, I am a new user of snort (on Win98) and am amazed and delighted with its
versatility and power. It truly is "Lightweight" when it comes to resources
needed to run, but it sure is a heavyweight when it comes to utility! (I
have had up to three instances running with different rule sets (1133 rules
each) at one time, and maximum cpu resources consumed was less then 18%)

I have searched on the wwww for a few hours now for help on using the "-A
unsock" option but cannot find any reference to how to determine/set  the
socket or address of the listener application.

Can anyone help?



More information about the Snort-users mailing list