[Snort-users] snort unsock option and java serversocket

Dirk Geschke dirk at ...10648...
Tue Nov 9 00:23:08 EST 2004


Hi,

> I am trying to let snort send realtime alerts to a
> java serversocket which is listening on some specified
> port and IP by using unsock option of snort. However,
> I didnt get it. is there anyone who has some
> experience on unsock option? and what would be the
> format of the alert output while using unsock option?

I think you are on the wrong way. The unsock option is for notifying
via an unix domain socket. This does neither contain an IP address
nor a port. You need a program creating the unix socket and listening
to it. The default socket name is "/tmp/snort_alert".

For the format take a look at src/output-plugins/spo_alert_unixsock.c.

A similar approach is done with FLoP: 

    http://www.geschke-online.de/FLoP/

But the main focus is to store all alerts in a database with the
oayload. For alerts with a given priority an e-mail can be send.
(Or something else, if you like. The infomration is written to 
another unix domain socket so it is easy to attach other programs.)

Best regards

Dirk




More information about the Snort-users mailing list