Snort mailing list archives
Re: yet another unix socket question...
From: Fyodor <fygrave () tigerteam net>
Date: Mon, 14 Jan 2002 10:46:34 +0700
On Sun, Jan 13, 2002 at 07:48:40PM -0500, Dr. Richard W. Tibbs wrote:
Thanks, Fyodor. Your code sample really helped. Things are "working", that is I succeed in getting the alerts via the socket. But.... some wierd results, all the alerts appear to be length 2 bytes. I describe my approach below.
len is not the length of bytes received. len is the size of struct sockaddr structure, which recvfrom filled in. if you want to see the length of bytes received, change the code like: while ((recv = recvfrom (sockfd, (void *) &alert, sizeof (alert), 0, (struct sockaddr *) &bogus, &len)) > 0) { .. recv will have the size of Alertpkt structure. I think you may also need to do neccesary data validation after (which I omitted in my code) comparing the data from libpcap pktheader with actual datasize. Current situation is that if the packet is bigger than maximum snaplen, then it will be truncated. (same goes with message, if it is too long, it would be truncated accordingly).
Several questions at this point: 1) For testing the socket alert, I would like to set up snort to alert only pings. (I will ping from same machine as snort is running, and make sure I get all the packets, etc.) I think there must be many ways of doing this, but after reading the snort manual, the simplest one I come up with is: snort -A unsock -c snort.conf < where somewhere in snort.conf ...> ################################# # Step #3 Configure output plugins... # (blah blah) output alert_unixsock alert icmp any any -> any any <rest of snort.conf ... but all other rule files commented out >
maybe also (msg:"pings"); ;-)
2) I notice in the code sample you sent, that the variables snortaddr & bogus are declared sockaddr_un, but then cast to sockaddr in the bind and recvfrom calls. Why is this? Shouldn't it be cast to sockaddr_un?
Because bind() and recvfrom() require the cast due to their declarations. int bind(int sockfd, struct sockaddr *my_addr, socklen_t addrlen); int recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen);
(Either way, I get 2 bytes for each ping .) 3) Finally: Where are the various sys/types.h sys/socket.h ... located in a Suse linux distrib?
/usr/include/ ? ;-)
Your question 2 emails ago "..how is myaddr declared.." is a good one; from the socket how-tos I found on google, I thought everything could just be "sockaddr".
no, sockaddr is generic structure. General definition is that most of the socket relevant syscalls take this structure as parameter. Then they operate it according to what your socket type is. AF_INET would make sockaddr considered to be sockaddr_in, AF_UNIX, sockaddr_un, etc. That's why you still have to cast the sockaddr_* structs, so the same function/interface would be used to operate with different socket types. hope it helps. -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- yet another unix socket question... Dr. Richard W. Tibbs (Jan 12)
- Re: yet another unix socket question... Dr. Richard W. Tibbs (Jan 12)
- Re: yet another unix socket question... Fyodor (Jan 13)
- Re: yet another unix socket question... Fyodor (Jan 13)
- Re: yet another unix socket question... Dr. Richard W. Tibbs (Jan 13)
- Re: yet another unix socket question... Fyodor (Jan 13)
- Re: yet another unix socket question... Dr. Richard W. Tibbs (Jan 14)
- Message not available
- Re: yet another unix socket question... Dr. Richard W. Tibbs (Jan 14)
- Re: yet another unix socket question... Fyodor (Jan 13)