Snort mailing list archives
Re: Snort and Unix-Socket
From: Phil Wood <cpw () lanl gov>
Date: Wed, 21 Nov 2001 22:46:08 -0700
I'm following up my own message. On Wed, Nov 21, 2001 at 07:02:16PM -0700, Phil Wood wrote:
I actually got this to work, but to make it work in a general way I modified snort. Don't think my changes ever made it in. The change just allowed me to specify the file to use rather than the hard coded one in snort source.
Here is an example I just ran to see if the code I posted worked:
Start up the unixsockd program.
% ./unixsockd /tmp/socketname
socket --> /tmp/socketname
(start snort running with following entry in conf file:
output alert_unixsock: /tmp/socketname [note: need a few mods to snort to
get it to honor the argument to alert_unixsock output plugin])
From somewhere on the net a gnome of sorts runs the following snippit against
my machine:
# teardrop1 192.198.1.97 192.198.1.97 -t 22
teardrop route|daemon9
Death on flaxen wings:
From: 192.198.1.97.43979
To: 192.198.1.97. 22
Amt: 1
[ b00m ]
(back on the machine running unixsockd)
BAD TRAFFIC same SRC/DST
spp_frag2: Teardrop attack
BAD TRAFFIC same SRC/DST
BAD TRAFFIC same SRC/DST
--
Phil Wood, cpw () lanl gov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Unix-Socket TSauter (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Dirk Geschke (Nov 22)
- Re: Snort and Unix-Socket Phil Wood (Nov 21)
- Re: Snort and Unix-Socket Fyodor (Nov 21)