[Snort-users] Snort and Unix-Socket

Phil Wood cpw at ...440...
Wed Nov 21 21:47:01 EST 2001


I'm following up my own message.

On Wed, Nov 21, 2001 at 07:02:16PM -0700, Phil Wood wrote:
> I actually got this to work, but to make it work in a general way I modified
> snort.  Don't think my changes ever made it in.  The change just allowed
> me to specify the file to use rather than the hard coded one in snort source.

Here is an example I just ran to see if the code I posted worked:

  Start up the unixsockd program.

  % ./unixsockd /tmp/socketname
  socket --> /tmp/socketname

  (start snort running with following entry in conf file:
   output alert_unixsock: /tmp/socketname [note: need a few mods to snort to
   get it to honor the argument to alert_unixsock output plugin])

  From somewhere on the net a gnome of sorts runs the following snippit against
  my machine:

  # teardrop1 192.198.1.97 192.198.1.97 -t 22
  teardrop   route|daemon9
  
  Death on flaxen wings:
  From:  192.198.1.97.43979
    To:  192.198.1.97.   22
   Amt:     1
  [ b00m ]

  (back on the machine running unixsockd)

  BAD TRAFFIC same SRC/DST
  spp_frag2: Teardrop attack
  BAD TRAFFIC same SRC/DST
  BAD TRAFFIC same SRC/DST
  
-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list