Re: yet another unix socket question...

["Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com>]

Thanks, Fyodor.  Your code sample really helped. Things are "working", 
that is I succeed in getting the alerts via the socket. But.... some 
wierd results, all the alerts appear to be length 2 bytes.  I describe 
my approach below.

Several questions at this point:
1) For testing the socket alert, I would like to set up snort to alert 
only pings.  (I will ping from same machine as snort is running, and 
make sure I get all the packets, etc.)
I think there must be many ways of doing this, but after reading the 
snort manual, the simplest one I come up with is:

snort -A unsock -c snort.conf

< where somewhere in snort.conf ...>
#################################
# Step #3 Configure output plugins...
#  (blah blah)
output alert_unixsock
alert icmp any any -> any any
<rest of snort.conf ... but all other rule files commented out >

All pings (and maybe a few other packets, if any go by) should be sent 
to the unix socket, right?
What I am seeing with the above config of snort is a sequence of pings 
that are indeed alerted to the socket,
but the len parameter from recvfrom is always 2 (bytes, I guess).
Why would only two bytes be returned?

2) I notice in the code sample you sent, that the variables snortaddr & 
bogus are declared sockaddr_un, but then cast to sockaddr in the bind 
and recvfrom calls. Why is this? Shouldn't it be cast to sockaddr_un? 
(Either way, I get 2 bytes for each ping .)

3) Finally: Where are the various
sys/types.h
sys/socket.h ...
located in a Suse linux distrib?
Your question 2 emails ago "..how is myaddr declared.." is a good one;
from the socket how-tos I found on google, I thought everything could 
just be "sockaddr".
Evidently, there is sockaddr_un (... maybe others for different socket 
flavors?).
If I could just scan the .h files for relevant structs, at least 
erstwhile socket programmer would know they exist! ;-)


>>>RWT

Fyodor wrote:

> Attach. is README for unix sockets feature, which I have written
> quickly. if you have any questions, queries or comments, please let us
> know.
>
> -Fyodor
>
>
> ------------------------------------------------------------------------
>
> $Id: README.UNSOCK,v 1.1 2002/01/13 16:27:09 fygrave Exp $
>
> It is possible to send alert messages and some packet releveant data
> from snort through a unix socket, to perform additional separate
> processing of alert data. 
> Snort has to be built with spo_unsock.c/h output plugin is built in and
> -A unsock (or its equivalent through the config file) is
> used. The unix socket file should be created in /dev/snort_alert. Your
> 'client' code should act as 'server' listening to this unix socket.
> Snort will be sending you Alertpkt structures which contain alert
> message, event id. Original datagaram, lipcap pkthdr, and offsets to
> datalink, netlayer, and transport layer headers.
>
> Below is an example how unix sockets could be used. If you have any
> comments bug reports, and feature requests, please contact
> snort-devel () lists sourceforge net or drop me an email to fygrave at
> tigerteam dot net.
>
> -Fyodor
>
> [for copyright notice, see snort distribution code]
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/un.h>
> #include <signal.h>
> #include "snort.h"
>
> int sockfd;
>
> void
> sig_term (int sig)
> {
>   printf ("Exiting!\n");
>   close (sockfd);
>   unlink (UNSOCK_FILE);
>   exit (1);
> }
>
> int
> main (void)
> {
>   struct sockaddr_un snortaddr;
>   struct sockaddr_un bogus;
>   Alertpkt alert;
>   Packet *p;
>   socklen_t len = sizeof (struct sockaddr_un);
>
>   if ((sockfd = socket (AF_UNIX, SOCK_DGRAM, 0)) < 0)
>     {
>       perror ("socket");
>       exit (1);
>     }
>
>   bzero (&snortaddr, sizeof (snortaddr));
>   snortaddr.sun_family = AF_UNIX;
>   strcpy (snortaddr.sun_path, UNSOCK_FILE);
>
>
>   if (bind (sockfd, (struct sockaddr *) &snortaddr, sizeof (snortaddr)) < 0)
>     {
>       perror ("bind");
>       exit (1);
>     }
>
>   while (recvfrom (sockfd, (void *) &alert, sizeof (alert),
>                    0, (struct sockaddr *) &bogus, &len) > 0)
>     {
>
>       if (!(alert.val & NOPACKET_STRUCT))
>         {
>           if ((p = calloc (1, sizeof (Packet))) == NULL)
>             {
>               perror ("calloc");
>               exit (1);
>             }
>
>           p->pkt = alert.pkt;
>           p->pkth = &alert.pkth;
>           if (alert.dlthdr)
>             p->eh = (EtherHdr *) (alert.pkt + alert.dlthdr);
>           if (alert.nethdr)
>             {
>               p->iph = (IPHdr *) (alert.pkt + alert.nethdr);
>               if (alert.transhdr)
>                 {
>                   switch (p->iph->ip_proto)
>                     {
>                     case IPPROTO_TCP:
>                       p->tcph = (TCPHdr *) (alert.pkt + alert.transhdr);
>                       break;
>                     case IPPROTO_UDP:
>                       p->udph = (UDPHdr *) (alert.pkt + alert.transhdr);
>                       break;
>                     case IPPROTO_ICMP:
>                       p->icmph = (ICMPHdr *) (alert.pkt + alert.transhdr);
>                       break;
>                     default:
>                       printf ("WTF!\n");
>                     }           /* case */
>                 }               /* thanshdr */
>             }                   /* nethdr */
>           if (alert.data)
>             p->data = alert.pkt + alert.data;
>
>           /*  now  do whatever you want with these packet structures */
>         }                       /* if (!NOPACKET_STRUCT) */
>
>       printf ("%s [%d]\n", alert.alertmsg, alert.event.event_id);
>       if (!(alert.val & NOPACKET_STRUCT))
>         if (p->iph && (p->tcph || p->udph || p->icmph))
>           {
>             switch (p->iph->ip_proto)
>               {
>               case IPPROTO_TCP:
>                 printf ("TCP from: %s:%d ",
>                         inet_ntoa (p->iph->ip_src),
>                         ntohs (p->tcph->th_sport));
>                 printf ("to: %s:%d\n", inet_ntoa (p->iph->ip_dst),
>                         ntohs (p->tcph->th_dport));
>                 break;
>               case IPPROTO_UDP:
>                 printf ("UDP from: %s:%d ",
>                         inet_ntoa (p->iph->ip_src),
>                         ntohs (p->udph->uh_sport));
>                 printf ("to: %s:%d\n", inet_ntoa (p->iph->ip_dst),
>                         ntohs (p->udph->uh_dport));
>                 break;
>               case IPPROTO_ICMP:
>                 printf ("ICMP type: %d code: %d from: %s ",
>                         p->icmph->type,
>                         p->icmph->code, inet_ntoa (p->iph->ip_src));
>                 printf ("to: %s\n", inet_ntoa (p->iph->ip_dst));
>                 break;
>               }
>           }
>
>     }
>
>   perror ("recvfrom");
>   close (sockfd);
>   unlink (UNSOCK_FILE);
>
>   return 0;
> }




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users