Re: Snort and Unix-Socket

[Fyodor <fygrave () tigerteam net>]

[snip snip]
> But after some tests and "googles" I think the plugin never send any data to
> the socket. At the some time the alter will
> be detected and send to the mysql-database and to the syslog. So, the
> generated attack will be detected from snort, but doesn't
> send to the socket.
>
> <code-snipset>
>         if((sockfd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
>                 fprintf(stderr, "Failed to call socket.");
>                 exit(EXIT_FAILURE);
>         }
>
>         adress.sun_family = AF_UNIX;
>         strcpy(adress.sun_path, "/dev/snort_alert");
>         adrlen = sizeof(adress.sun_family) + strlen(adress.sun_path);
>
>         if(bind(sockfd, (struct sockaddr *) &adress, adrlen) == -1) {
>                 fprintf(stderr, "Unable to bind socket.");
>                 exit(EXIT_FAILURE);
>         }
>
>         if(listen(sockfd, 5) == -1) {
>                 fprintf(stderr, "Unable to listen on socket.");
>                 exit(EXIT_FAILURE);
>         }
>
>         while((connfd = accept(sockfd, (struct sockaddr *) &adress,
> &adrlen)) >= 0) {

I don't think you need to && can call accept and listen on
connection-less sockets (which SOCK_DGRAM is), all you need is to call
recvfrom() on the socket.. Look through snort-devel or snort-users
mailing list archives, I was posting a sample how to use unix sockets
with snort while ago.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users