[Snort-users] STDOUT

Martin Roesch roesch at ...421...
Fri Sep 15 16:31:57 EDT 2000


Comments at the bottom:

Phil Wood wrote:
> 
> At the risk of ridicule, I wanted to do the following:
> 
> 1. Just write alerts in tcpdump format to a file in the -l <directory>
>    and do not create <directory>/alert.  [Still have a problem with "portscan".
>    I'd like it to put all its stuff in the same tcpdump file]
> 
>    # snort -i $INTERFACE -TL$LOGNAME -TR -TC5000 -TM0 -d -b -A none -o \
>       -l LOG_DIR -c scripts/wy.rules -F scripts/wy.bpf
> 
>    [ignore the -T flags, they allow me to talk dirty to my ringbuffered libpcap.
> 
>    [except for the $LOGNAME, which allows me to change the default name of the
>     tcpdump file snort-<mmdd at ...449...>.log
> 
> 2. Generate the ascii alert stuff out-o-band with snort, possibly on a different
>    piece of hardware using stdout on the raw data in $LOGNAME..
> 
>    [so I came up with quick hack of OpenAlertFile in log.c to do an fdopen on
>     stdout.  This is probably pretty bad code, cause it assumes stdout is on
>     fildes 1.
> 
>    [Now for the question. How could I have done this without modifying the code?
> 
>    [Here is a sample run on the data created from step 1.
> 
>    # snort -r $LOGFILE -N -c scripts/wy.rules -q -A stdout
> 
>    Initializing Network Interface...
>    snaplen = 1514
>    Entering readback mode....
>    09/13-16:16:00.458547  [**] Tiny Fragments - Possible Hostile Activity [**] 10.1.2.97 -> 10.1.2.17
>    09/13-16:18:17.546041  [**] Tiny Fragments - Possible Hostile Activity [**] 
10.1.2.97 -> 10.1.2.17

Without modifying any code?  I'm not sure you could.  I'd probably think about
rigging something up using the unixsock alerting mechanism, which transmits
the raw packet data out the socket interface.  Maybe Snort could be modified
to take a unix socket as an input stream?  That'd be interesting.

Alternatively, the packet (and a snort alert ID) could be passed to an
external process through a spooling mechanism and post processed by another
program.  We've been talking about doing something like this for a while
now...

    -Marty

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list