Snort mailing list archives
Re: Unsock Output Issues
From: Korodev <korodev () gmail com>
Date: Tue, 24 May 2011 17:38:47 -0500
As an update to this...I was wrong about the lack of connect statement, as it's not needed in this scenario. If I would have realized that sendto was failing the whole time, then I would have read the errno it generated :) So my problem has shifted to sendto returning errno 40 (EMSGSIZE), indicating Snort is trying to push too much data through the socket.
From my tests, sizeof(Alertpkt) returns 65864 bytes.
I'll return to this tomorrow, any thoughts are welcome :) \\korodev On Tue, May 24, 2011 at 4:32 PM, Korodev <korodev () gmail com> wrote:
I've been playing with Snort's unsock output to plug into an existing app that does some custom reporting and notification work. For reference, I'm running 2.9.0.5 and FreeBSD 8.2 The unsock readme says that snort writes to /dev/snort_alert, which I'm assuming is quite dated. Analysis of the spo_alert_unixsock code shows that snort is looking at snort_conf->log_dir, which ultimately (with the define) points to /var/log/snort/snort_alert. To do some troubleshooting, I wrote a minimal socket server that opens a unix dgram socket at /var/log/snort/snort_alert, printing all recv'd data, and a test client to send data to the socket. Everything there works as expected. According to the output plugin code, it should throw plenty of errors when having trouble creating the socket. Sockstat shows that my server/listener is active and listening on the right socket, but interestingly enough, shows an entry for Snort with "(not connected)" under the local address field. I know creating the socket doesn't actually connect it, and saw that there doesn't seem to be a connect statement in the output plugin. Once I added a connect(alertsd, (struct sockaddr *) &alertaddr, sizeof(alertaddr) statement, then sockstat at least shows that snort is connecting to the socket, but the sendto statement is still failing. Anyone have any exp with this? Feeling like I'm really close :) Thanks, \\korodev
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unsock Output Issues Korodev (May 24)
- Re: Unsock Output Issues Korodev (May 24)