Snort mailing list archives
snort -A unsock feature
From: Yuri Leikind <y.leikind () sam-solutions net>
Date: Fri, 25 Apr 2003 18:36:14 +0300
Hello all, I am trying to use Snort's ability to write alerts to a UnixSocket. For testing purposes I've written a single rule: alert tcp any any -> MyIP 22 (msg:"Someone is using ssh to connect to me";) If I run snort like this: snort -de -l log -h MyIP -c rule -A full I get the alerts in the alert file in the ./log directory, if someone connects to me via ssh. But if I use snort -de -l log -h MyIP -c rule -A unsock and a simple script written in Ruby to listen to the socket: require 'socket' file = "/dev/snort_alert" sock = UNIXServer.open(file) while s = sock.accept puts "gotcha" p s.recvfrom(1) # or any number of bytes end I get nothing. Has anyone used this feature? -- Best regards, Yuri Leikind "... 5 years from now everyone will be running free GNU on their 200 MIPS, 64M SPARCstation-5." Andy Tanenbaum to Linus Torvalds in comp.lang.minix on Jan 1, 1992 http://groups.google.com/groups?lr=&selm=12615%40star.cs.vu.nl ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort -A unsock feature Yuri Leikind (Apr 25)