[Snort-users] yet another unix socket question...

Dr. Richard W. Tibbs ccamp at ...4532...
Sun Jan 13 16:48:04 EST 2002


Thanks, Fyodor.  Your code sample really helped. Things are "working", 
that is I succeed in getting the alerts via the socket. But.... some 
wierd results, all the alerts appear to be length 2 bytes.  I describe 
my approach below.

Several questions at this point:
1) For testing the socket alert, I would like to set up snort to alert 
only pings.  (I will ping from same machine as snort is running, and 
make sure I get all the packets, etc.)
I think there must be many ways of doing this, but after reading the 
snort manual, the simplest one I come up with is:

snort -A unsock -c snort.conf

< where somewhere in snort.conf ...>
#################################
# Step #3 Configure output plugins...
#  (blah blah)
output alert_unixsock
alert icmp any any -> any any
<rest of snort.conf ... but all other rule files commented out >

All pings (and maybe a few other packets, if any go by) should be sent 
to the unix socket, right?
What I am seeing with the above config of snort is a sequence of pings 
that are indeed alerted to the socket,
but the len parameter from recvfrom is always 2 (bytes, I guess).
Why would only two bytes be returned?

2) I notice in the code sample you sent, that the variables snortaddr & 
bogus are declared sockaddr_un, but then cast to sockaddr in the bind 
and recvfrom calls. Why is this? Shouldn't it be cast to sockaddr_un? 
(Either way, I get 2 bytes for each ping .)

3) Finally: Where are the various
sys/types.h
sys/socket.h ...
located in a Suse linux distrib?
Your question 2 emails ago "..how is myaddr declared.." is a good one;
from the socket how-tos I found on google, I thought everything could 
just be "sockaddr".
Evidently, there is sockaddr_un (... maybe others for different socket 
flavors?).
If I could just scan the .h files for relevant structs, at least 
erstwhile socket programmer would know they exist! ;-)


 >>>RWT

Fyodor wrote:

> Attach. is README for unix sockets feature, which I have written
> quickly. if you have any questions, queries or comments, please let us
> know.
> 
> -Fyodor
> 
> 
> ------------------------------------------------------------------------
> 
> $Id: README.UNSOCK,v 1.1 2002/01/13 16:27:09 fygrave Exp $
> 
> It is possible to send alert messages and some packet releveant data
> from snort through a unix socket, to perform additional separate
> processing of alert data. 
> Snort has to be built with spo_unsock.c/h output plugin is built in and
> -A unsock (or its equivalent through the config file) is
> used. The unix socket file should be created in /dev/snort_alert. Your
> 'client' code should act as 'server' listening to this unix socket.
> Snort will be sending you Alertpkt structures which contain alert
> message, event id. Original datagaram, lipcap pkthdr, and offsets to
> datalink, netlayer, and transport layer headers.
> 
> Below is an example how unix sockets could be used. If you have any
> comments bug reports, and feature requests, please contact
> snort-devel at lists.sourceforge.net or drop me an email to fygrave at
> tigerteam dot net.
> 
> -Fyodor
> 
> [for copyright notice, see snort distribution code]
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/un.h>
> #include <signal.h>
> #include "snort.h"
> 
> int sockfd;
> 
> void
> sig_term (int sig)
> {
>   printf ("Exiting!\n");
>   close (sockfd);
>   unlink (UNSOCK_FILE);
>   exit (1);
> }
> 
> int
> main (void)
> {
>   struct sockaddr_un snortaddr;
>   struct sockaddr_un bogus;
>   Alertpkt alert;
>   Packet *p;
>   socklen_t len = sizeof (struct sockaddr_un);
> 
>   if ((sockfd = socket (AF_UNIX, SOCK_DGRAM, 0)) < 0)
>     {
>       perror ("socket");
>       exit (1);
>     }
> 
>   bzero (&snortaddr, sizeof (snortaddr));
>   snortaddr.sun_family = AF_UNIX;
>   strcpy (snortaddr.sun_path, UNSOCK_FILE);
> 
> 
>   if (bind (sockfd, (struct sockaddr *) &snortaddr, sizeof (snortaddr)) < 0)
>     {
>       perror ("bind");
>       exit (1);
>     }
> 
>   while (recvfrom (sockfd, (void *) &alert, sizeof (alert),
> 		   0, (struct sockaddr *) &bogus, &len) > 0)
>     {
> 
>       if (!(alert.val & NOPACKET_STRUCT))
> 	{
> 	  if ((p = calloc (1, sizeof (Packet))) == NULL)
> 	    {
> 	      perror ("calloc");
> 	      exit (1);
> 	    }
> 
> 	  p->pkt = alert.pkt;
> 	  p->pkth = &alert.pkth;
> 	  if (alert.dlthdr)
> 	    p->eh = (EtherHdr *) (alert.pkt + alert.dlthdr);
> 	  if (alert.nethdr)
> 	    {
> 	      p->iph = (IPHdr *) (alert.pkt + alert.nethdr);
> 	      if (alert.transhdr)
> 		{
> 		  switch (p->iph->ip_proto)
> 		    {
> 		    case IPPROTO_TCP:
> 		      p->tcph = (TCPHdr *) (alert.pkt + alert.transhdr);
> 		      break;
> 		    case IPPROTO_UDP:
> 		      p->udph = (UDPHdr *) (alert.pkt + alert.transhdr);
> 		      break;
> 		    case IPPROTO_ICMP:
> 		      p->icmph = (ICMPHdr *) (alert.pkt + alert.transhdr);
> 		      break;
> 		    default:
> 		      printf ("WTF!\n");
> 		    }		/* case */
> 		}		/* thanshdr */
> 	    }			/* nethdr */
> 	  if (alert.data)
> 	    p->data = alert.pkt + alert.data;
> 
> 	  /*  now  do whatever you want with these packet structures */
> 	}			/* if (!NOPACKET_STRUCT) */
> 
>       printf ("%s [%d]\n", alert.alertmsg, alert.event.event_id);
>       if (!(alert.val & NOPACKET_STRUCT))
> 	if (p->iph && (p->tcph || p->udph || p->icmph))
> 	  {
> 	    switch (p->iph->ip_proto)
> 	      {
> 	      case IPPROTO_TCP:
> 		printf ("TCP from: %s:%d ",
> 			inet_ntoa (p->iph->ip_src),
> 			ntohs (p->tcph->th_sport));
> 		printf ("to: %s:%d\n", inet_ntoa (p->iph->ip_dst),
> 			ntohs (p->tcph->th_dport));
> 		break;
> 	      case IPPROTO_UDP:
> 		printf ("UDP from: %s:%d ",
> 			inet_ntoa (p->iph->ip_src),
> 			ntohs (p->udph->uh_sport));
> 		printf ("to: %s:%d\n", inet_ntoa (p->iph->ip_dst),
> 			ntohs (p->udph->uh_dport));
> 		break;
> 	      case IPPROTO_ICMP:
> 		printf ("ICMP type: %d code: %d from: %s ",
> 			p->icmph->type,
> 			p->icmph->code, inet_ntoa (p->iph->ip_src));
> 		printf ("to: %s\n", inet_ntoa (p->iph->ip_dst));
> 		break;
> 	      }
> 	  }
> 
>     }
> 
>   perror ("recvfrom");
>   close (sockfd);
>   unlink (UNSOCK_FILE);
> 
>   return 0;
> }







More information about the Snort-users mailing list