[Snort-users] RE: How to use -A unsock option

Sean C Doherty seand at ...232...
Mon Aug 7 13:33:23 EDT 2000


Well, I knew I should not have mentioned the "Win32" word.
>
> > ~ :I am running snort on win32 because I don't want to have to
> "dumb down" a
> > ~ :Linux box to just be a snort IDS appliance with no other
> services.  Snort
>
> Snort is definitly not written on a m$ box. So you are dealing with
> a port of snort, how good that one may be. ?? That's the first handicap
> you'll encounter. Secondly, the ip stack and implementation of it in m$
> stucks very big time. So go figure.
> Most of all, when it comes to security and stuff like that, plz install a
> real os which can do a fine job, use a bsd or even linux, it will ease you
> live. And i mean, why not dedicate a machine for snort alone? That's what
> i did. All incomming traffic after it came through the outer firewall will
> also pass the snort machine to see what's going on. It'll run fine and do
> a good job, assumed you got nice rules.
> Bye,

hmmm...

To eliminate the noise on this topic let me re-phrase the question:

The snort man page states:

 OPTIONS
      -A alert-mode
           Alert using the specified alert-mode. Valid alert modes include
           fast, full, none, and unsock. Fast writes alerts to the default
           "alert" file in a single-line, syslog style alert message. Full
           writes the alert to the "alert" file with the full decoded header
           as well as the alert message. None turns off alerting. Unsock is
           an experimental mode that sends the alert information out over a
           UNIX socket to another process that attaches to that socket.

Q. I would like to write a perl script to "attach" to the socket when snort
is run with the -A unsock option.  Has anyone implemented this option, and
can I get some help on how to do it?

Thanks

Sean D






More information about the Snort-users mailing list