Re: Alert_unixsock

[Fyodor <fygrave () tigerteam net>]

On Mon, Sep 03, 2001 at 06:28:48PM -0400, Anupam Bansal wrote:
> Fyodor,
>
> Is it possible you can dig up this sample for me please ??
>
> Are there any other ways to send data to a socket directly ??


I failed to find my old code, so here it goes (briefly from the top of
my head, beaware that you need to be more error-prune in actual
implementation):

You don't send it, you 'bind' a unix socket and then you receive from it. 

#include "snort.h"

...

struct sockaddr_un snortaddr;
struct sockaddr_un bogus;
struct Alertpkt alert;

sockfd = socket(AF_UNIX, SOCK_DGRAM, 0);

bzero(&servaddr, sizeof(snortddr));
snortddr.sun_family = AF_UNIX;
strcpy(snortaddr.sun_path, UNSOCK_FILE);

bind(sockfd, &snortaddr, sizeof(cliaddr));

while (2) {
    recvfrom(sockfd, &alert, sizeof(alert), 0, &bogus, sizeof(bogus));
    [parse out alert structure here and do whatever you want with it]
     (message will be in alert.alertmsg, raw packet data will be in
     alert.pkt, offsets will be in alert.nethdr,
     alert.transhdr, alert.dlthdr, alert.data]

}

if you need more data here from alert, modify spo_alert_unsocket.c/h routines :)

As for the other ways, you always can code up an output plugin (see also
spo_snortnet code, another attempt of mine to send data to a network
socket).

hope it helps,

-Fyodor

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users