[Snort-users] Unixsock plugin?

Honia A honia2002 at ...125...
Tue Nov 24 11:30:32 EST 2009


Hi Dirk,

 

Thanks much for your reply, I really appreciate it. 


1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).


2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good? 

 

3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this?

 

Thanks so much,
h

 

P.S. Here's the code:


 

#!/usr/bin/perl

# Include the socket libraries

use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.

$TEMPLATE = "A256 A*";

# Release the socket if it already exists

unlink "/var/log/snort/snort_alert";

# In case of user termination - exit gracefully.

$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
                   Local => "/var/log/snort/snort_alert")
  or die "Socket: $@";

print STDOUT "Socket Open ... \n";

# Loop receiving data from the socket, pulling out the
# alert name and printing it.

my $data;

while ( true ) {
    recv($client,$data,1024,0);
    @FIELDS = unpack($TEMPLATE, $data);

    print "@FIELDS[0] \n";

}

# At termination close up the socket again.

END {unlink "/var/log/snort/snort_alert";}


 



 


 


 

> Date: Tue, 24 Nov 2009 16:47:11 +0100
> From: dirk at ...10648...
> To: honia2002 at ...125...
> CC: dirk at ...10648...; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Unixsock plugin?
> 
> Hi Honia,
> 
> > 1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: "snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the command itself? 
> 
> no, in this case it does not matter: Both do the same...
> 
> But if you define "output alert_unixsock" in snort.conf there is no
> need to use "-A unsock", too.
> 
> > 2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?
> 
> Simply write a script/program that creates the unix domain socket
> and read from it. That's all.
> 
> The socket should be in the log dir and called snort_alert.
> 
> All you need is something like this:
> 
> ---
> /* get a socket */
> sock = socket(PF_UNIX, SOCK_DGRAM, 0) ;
> 
> /* we want a unix socket */
> unix_addr.sun_family = AF_UNIX;
> strcpy(unix_addr.sun_path, SocketName);
> 
> /* create the socket */
> bind(sock, (struct sockaddr *) &unix_addr,length);
> ---
> 
> SocketName should be the name of the socket you want to create.
> 
> After this you can read from "sock" when snort writes to it.
> 
> Best regards
> 
> Dirk
> -- 
> +----------------------------------------------------------------------+
> | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
> | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
> | dirk at ...10648... / dirk at ...13691... / kontakt at ...13691... | 
> +----------------------------------------------------------------------+
 		 	   		  
_________________________________________________________________
Windows 7: I wanted simpler, now it's simpler. I'm a rock star.
http://www.microsoft.com/Windows/windows-7/default.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:112009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091124/29639506/attachment.html>


More information about the Snort-users mailing list