[Snort-users] snort -A unsock feature

Yuri Leikind y.leikind at ...9017...
Fri Apr 25 08:37:14 EDT 2003

Hello all,

I am trying to use Snort's ability to write alerts to 
a UnixSocket.

For testing purposes I've written a single rule:

alert tcp any any -> MyIP   22 (msg:"Someone is using ssh to
connect to me";)

If I run snort like this:

 snort -de -l log -h MyIP -c rule -A full

I get the alerts in the alert file in the ./log directory, if someone
connects to me via ssh.

But if I use

 snort -de -l log -h MyIP -c rule -A unsock

and a simple script written in Ruby to listen to the socket:

     require 'socket'
     file = "/dev/snort_alert"

     sock = UNIXServer.open(file)

     while s = sock.accept
        puts "gotcha"
        p  s.recvfrom(1) # or any number of bytes

I get nothing.

Has anyone used this feature?

Best regards,
Yuri Leikind

"... 5 years from now everyone will be running free 
GNU on their 200 MIPS, 64M SPARCstation-5."

Andy Tanenbaum to Linus Torvalds 
in comp.lang.minix on Jan 1, 1992

More information about the Snort-users mailing list