[Snort-users] Snort and Unix-Socket

Fyodor fygrave at ...121...
Wed Nov 21 16:01:02 EST 2001


[snip snip]
> 
> But after some tests and "googles" I think the plugin never send any data to
> the socket. At the some time the alter will
> be detected and send to the mysql-database and to the syslog. So, the
> generated attack will be detected from snort, but doesn't
> send to the socket.
> 
> <code-snipset>
>         if((sockfd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
>                 fprintf(stderr, "Failed to call socket.");
>                 exit(EXIT_FAILURE);
>         }
> 
>         adress.sun_family = AF_UNIX;
>         strcpy(adress.sun_path, "/dev/snort_alert");
>         adrlen = sizeof(adress.sun_family) + strlen(adress.sun_path);
> 
>         if(bind(sockfd, (struct sockaddr *) &adress, adrlen) == -1) {
>                 fprintf(stderr, "Unable to bind socket.");
>                 exit(EXIT_FAILURE);
>         }
> 
>         if(listen(sockfd, 5) == -1) {
>                 fprintf(stderr, "Unable to listen on socket.");
>                 exit(EXIT_FAILURE);
>         }
> 
>         while((connfd = accept(sockfd, (struct sockaddr *) &adress,
> &adrlen)) >= 0) {

I don't think you need to && can call accept and listen on
connection-less sockets (which SOCK_DGRAM is), all you need is to call
recvfrom() on the socket.. Look through snort-devel or snort-users
mailing list archives, I was posting a sample how to use unix sockets
with snort while ago.





More information about the Snort-users mailing list