[Snort-users] RE: How to use -A unsock option

Jed Pickel jed at ...153...
Mon Aug 7 14:59:12 EDT 2000


> To eliminate the noise on this topic let me re-phrase the question:
> 
> The snort man page states:
> 
>  OPTIONS
>       -A alert-mode
>            Alert using the specified alert-mode. Valid alert modes include
>            fast, full, none, and unsock. Fast writes alerts to the default
>            "alert" file in a single-line, syslog style alert message. Full
>            writes the alert to the "alert" file with the full decoded header
>            as well as the alert message. None turns off alerting. Unsock is
>            an experimental mode that sends the alert information out over a
>            UNIX socket to another process that attaches to that socket.
> 
> Q. I would like to write a perl script to "attach" to the socket when snort
> is run with the -A unsock option.  Has anyone implemented this option, and
> can I get some help on how to do it?

Hey Sean,

I think Fyodor and I have both experimented with this in the past. The
problem you will run into is that once you have a process receiving
the data (msg, and packet) from the socket you need to decode the
packet. Before you can do that effectively you need to either extract
a lot of functionality from snort and make a library out of it or
rewrite a good chunk of snort -- just do decode that packet. While I
think we plan to someday have libsnort we have not had a chance to
work on it for quite some time.

In the meantime you will probably find that the output plugin
interface will probably be sufficient to meet your needs. Of course it
would be easiest to use c instead of perl if you use that interface.

* Jed




More information about the Snort-users mailing list