Snort mailing list archives
Re: Snort and Unix-Socket
From: Phil Wood <cpw () lanl gov>
Date: Wed, 21 Nov 2001 22:46:08 -0700
I'm following up my own message. On Wed, Nov 21, 2001 at 07:02:16PM -0700, Phil Wood wrote:
I actually got this to work, but to make it work in a general way I modified snort. Don't think my changes ever made it in. The change just allowed me to specify the file to use rather than the hard coded one in snort source.
Here is an example I just ran to see if the code I posted worked: Start up the unixsockd program. % ./unixsockd /tmp/socketname socket --> /tmp/socketname (start snort running with following entry in conf file: output alert_unixsock: /tmp/socketname [note: need a few mods to snort to get it to honor the argument to alert_unixsock output plugin]) From somewhere on the net a gnome of sorts runs the following snippit against my machine: # teardrop1 192.198.1.97 192.198.1.97 -t 22 teardrop route|daemon9 Death on flaxen wings: From: 192.198.1.97.43979 To: 192.198.1.97. 22 Amt: 1 [ b00m ] (back on the machine running unixsockd) BAD TRAFFIC same SRC/DST spp_frag2: Teardrop attack BAD TRAFFIC same SRC/DST BAD TRAFFIC same SRC/DST -- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Unix-Socket TSauter (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Dirk Geschke (Nov 22)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)