[Snort-users] snort unsock option and java serversocket
dirk at ...10648...
Tue Nov 9 00:23:08 EST 2004
> I am trying to let snort send realtime alerts to a
> java serversocket which is listening on some specified
> port and IP by using unsock option of snort. However,
> I didnt get it. is there anyone who has some
> experience on unsock option? and what would be the
> format of the alert output while using unsock option?
I think you are on the wrong way. The unsock option is for notifying
via an unix domain socket. This does neither contain an IP address
nor a port. You need a program creating the unix socket and listening
to it. The default socket name is "/tmp/snort_alert".
For the format take a look at src/output-plugins/spo_alert_unixsock.c.
A similar approach is done with FLoP:
But the main focus is to store all alerts in a database with the
oayload. For alerts with a given priority an e-mail can be send.
(Or something else, if you like. The infomration is written to
another unix domain socket so it is easy to attach other programs.)
More information about the Snort-users