[Snort-users] Snort and Unix-Socket

TSauter at ...158... TSauter at ...158...
Wed Nov 21 10:59:03 EST 2001


Hello Snort-Users,

first thanks for your wonderful snort product. Works fine and make my live
easier.

Watchguard has released a software to send messages or block adresses
directly with this software. But how can I get
the snort messages and call this program directly from snort.

One way I thinks is the posibility to send the alerts to syslog and then use
a tool like swatch to call the watchguard
software. But for this method I need a logfile on the snort machine witch
can blow up and need to be cleared from time
to time. The other way is using the unixsock output plugin and read the
socket with a little daemon and then call the
external program.

But after some tests and "googles" I think the plugin never send any data to
the socket. At the some time the alter will
be detected and send to the mysql-database and to the syslog. So, the
generated attack will be detected from snort, but doesn't
send to the socket.

<code-snipset>
        if((sockfd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
                fprintf(stderr, "Failed to call socket.");
                exit(EXIT_FAILURE);
        }

        adress.sun_family = AF_UNIX;
        strcpy(adress.sun_path, "/dev/snort_alert");
        adrlen = sizeof(adress.sun_family) + strlen(adress.sun_path);

        if(bind(sockfd, (struct sockaddr *) &adress, adrlen) == -1) {
                fprintf(stderr, "Unable to bind socket.");
                exit(EXIT_FAILURE);
        }

        if(listen(sockfd, 5) == -1) {
                fprintf(stderr, "Unable to listen on socket.");
                exit(EXIT_FAILURE);
        }

        while((connfd = accept(sockfd, (struct sockaddr *) &adress,
&adrlen)) >= 0) {
                int n, i;
                char buffer[MAXLEN];
                while((n = read(connfd, buffer, MAXLEN)) > 0) {
                        for(i=0; i<n-1; i++) {
                                printf("%c=%02x ", buffer[i], buffer[i]);
                        }
                        printf("\n");
                        fflush(stdout);
                }
        }
</code-snipset>

Environment: OpenBSD 2.9-current/ Snort-1.8.2/ MySQL

<snort.conf>
output alert_syslog: LOG_LOCAL7
output database: alert, mysql, user=XXX password=XXX dbname=snortdb
host=localhost
output alert_unixsock
</snort.conf>

Where is my mistake? Or is the plugin currently not working?
Or is there any other practicable way to call an external program?

Thanks a lot
Thorsten

p.s. sorry for this poor english :)


-- 
Thorsten Sauter
<tsauter at ...158...>

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list