[Snort-users] Unixsock plugin?

Dirk Geschke dirk at ...10648...
Tue Nov 24 10:47:11 EST 2009


Hi Honia,

> 1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: "snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the command itself? 

no, in this case it does not matter: Both do the same...

But if you define "output alert_unixsock" in snort.conf there is no
need to use "-A unsock", too.

> 2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?

Simply write a script/program that creates the unix domain socket
and read from it. That's all.

The socket should be in the log dir and called snort_alert.

All you need is something like this:

---
/* get a socket */
sock = socket(PF_UNIX, SOCK_DGRAM, 0) ;

/* we want a unix socket */
unix_addr.sun_family = AF_UNIX;
strcpy(unix_addr.sun_path, SocketName);

/* create the socket */
bind(sock, (struct sockaddr *) &unix_addr,length);
---

SocketName should be the name of the socket you want to create.

After this you can read from "sock" when snort writes to it.

Best regards

Dirk
-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at ...10648... / dirk at ...13691...  / kontakt at ...13691... | 
+----------------------------------------------------------------------+




More information about the Snort-users mailing list