[Snort-users] Unixsock plugin?

Dirk Geschke dirk at ...10648...
Wed Nov 25 05:12:34 EST 2009

Hi Honia,

> 1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).

you have to create this socket so snort can write to it (on some
systems one have to ensure that the snort pocess is allowed to
write to this socket...)

If there is no socket, than all alerts are simply dropped.

> 2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good? 

It looks okay, so far. You should take care of the size of
Alertpkt, this is what the output plugin writes to the socket.
This number of bytes should be read from the socket and of
course you should take care of the fields in order to extract
them correct.

If you read less bytes than are in the buffer then you will
read the remaining parts the next time and not the next alert...

> 3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this?

Simply to a blocked read from it, if data are there then you can
read them. Hence if snort writes an alert to the socket your
program can read them the same time.

> P.S. Here's the code:

> while ( true ) {
>     recv($client,$data,1024,0);
>     @FIELDS = unpack($TEMPLATE, $data);

I think a


would be the better way. Although Alertpkt is bigger than 1024 bytes.
But this way you should get at least the alertmsg of the first alert.

Best regards


BTW: You can take a look at sockserv.c from FLoP for how I solved
     this in C for a quite different output plugin. I adjusted and
     extended the output plugin to provide more informations and 
     the whole pcap data. You can find the latest version of FLoP


| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk at ...10648... / dirk at ...13691...  / kontakt at ...13691... | 

More information about the Snort-users mailing list