Snort mailing list archives
Re: Snort and Unix-Socket
From: Fyodor <fygrave () tigerteam net>
Date: Thu, 22 Nov 2001 06:55:09 +0700
[snip snip]
But after some tests and "googles" I think the plugin never send any data to the socket. At the some time the alter will be detected and send to the mysql-database and to the syslog. So, the generated attack will be detected from snort, but doesn't send to the socket. <code-snipset> if((sockfd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { fprintf(stderr, "Failed to call socket."); exit(EXIT_FAILURE); } adress.sun_family = AF_UNIX; strcpy(adress.sun_path, "/dev/snort_alert"); adrlen = sizeof(adress.sun_family) + strlen(adress.sun_path); if(bind(sockfd, (struct sockaddr *) &adress, adrlen) == -1) { fprintf(stderr, "Unable to bind socket."); exit(EXIT_FAILURE); } if(listen(sockfd, 5) == -1) { fprintf(stderr, "Unable to listen on socket."); exit(EXIT_FAILURE); } while((connfd = accept(sockfd, (struct sockaddr *) &adress, &adrlen)) >= 0) {
I don't think you need to && can call accept and listen on connection-less sockets (which SOCK_DGRAM is), all you need is to call recvfrom() on the socket.. Look through snort-devel or snort-users mailing list archives, I was posting a sample how to use unix sockets with snort while ago. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Unix-Socket TSauter (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Dirk Geschke (Nov 22)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)