[Snort-users] Alert_unixsock

Fyodor fygrave at ...121...
Tue Sep 4 14:05:09 EDT 2001


On Mon, Sep 03, 2001 at 06:28:48PM -0400, Anupam Bansal wrote:
> 
> Fyodor,
> 
> Is it possible you can dig up this sample for me please ??
> 
> Are there any other ways to send data to a socket directly ??
> 


I failed to find my old code, so here it goes (briefly from the top of
my head, beaware that you need to be more error-prune in actual
implementation):

You don't send it, you 'bind' a unix socket and then you receive from it. 

#include "snort.h"

...

struct sockaddr_un snortaddr;
struct sockaddr_un bogus;
struct Alertpkt alert;

sockfd = socket(AF_UNIX, SOCK_DGRAM, 0);

bzero(&servaddr, sizeof(snortddr));
snortddr.sun_family = AF_UNIX;
strcpy(snortaddr.sun_path, UNSOCK_FILE);

bind(sockfd, &snortaddr, sizeof(cliaddr));

while (2) {
    recvfrom(sockfd, &alert, sizeof(alert), 0, &bogus, sizeof(bogus));
    [parse out alert structure here and do whatever you want with it]
     (message will be in alert.alertmsg, raw packet data will be in
     alert.pkt, offsets will be in alert.nethdr,
     alert.transhdr, alert.dlthdr, alert.data]

}

if you need more data here from alert, modify spo_alert_unsocket.c/h routines :)

As for the other ways, you always can code up an output plugin (see also
spo_snortnet code, another attempt of mine to send data to a network
socket).

hope it helps,

-Fyodor




More information about the Snort-users mailing list