Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: yet another unix socket question...

From: Fyodor <fygrave () tigerteam net>
Date: Mon, 14 Jan 2002 10:46:34 +0700
On Sun, Jan 13, 2002 at 07:48:40PM -0500, Dr. Richard W. Tibbs wrote:

Thanks, Fyodor.  Your code sample really helped. Things are "working", 
that is I succeed in getting the alerts via the socket. But.... some 
wierd results, all the alerts appear to be length 2 bytes.  I describe 
my approach below.


len is not the length of bytes received. len is the size of struct
sockaddr structure, which recvfrom filled in. if you want to see the
length of bytes received, change the code like:


  while ((recv = recvfrom (sockfd, (void *) &alert, sizeof (alert),
                   0, (struct sockaddr *) &bogus, &len)) > 0)
    {
 
.. 
recv will have the size of Alertpkt structure. I think you may also need
to do neccesary data validation after (which I omitted in my code)
comparing the data from libpcap pktheader with actual datasize. Current
situation is that if the packet is bigger than maximum  snaplen, then it
will be truncated. (same goes with message, if it is too long, it would
be truncated accordingly).


Several questions at this point:
1) For testing the socket alert, I would like to set up snort to alert 
only pings.  (I will ping from same machine as snort is running, and 
make sure I get all the packets, etc.)
I think there must be many ways of doing this, but after reading the 
snort manual, the simplest one I come up with is:

snort -A unsock -c snort.conf

< where somewhere in snort.conf ...>
#################################
# Step #3 Configure output plugins...
#  (blah blah)
output alert_unixsock
alert icmp any any -> any any
<rest of snort.conf ... but all other rule files commented out >



maybe also (msg:"pings"); ;-)


2) I notice in the code sample you sent, that the variables snortaddr & 
bogus are declared sockaddr_un, but then cast to sockaddr in the bind 
and recvfrom calls. Why is this? Shouldn't it be cast to sockaddr_un? 


Because bind() and recvfrom() require the cast due to their declarations.

       int  bind(int  sockfd, struct sockaddr *my_addr, socklen_t
       addrlen);

       int  recvfrom(int  s,  void  *buf,  size_t len, int flags,
       struct sockaddr *from, socklen_t *fromlen);

  



(Either way, I get 2 bytes for each ping .)

3) Finally: Where are the various
sys/types.h
sys/socket.h ...
located in a Suse linux distrib?


/usr/include/ ? ;-)


Your question 2 emails ago "..how is myaddr declared.." is a good one;
from the socket how-tos I found on google, I thought everything could 
just be "sockaddr".


no, sockaddr is generic structure. General definition is that most of
the socket relevant syscalls take this structure as parameter. Then they
operate it according to what your socket type is. AF_INET would make
sockaddr considered to be sockaddr_in, AF_UNIX, sockaddr_un, etc. That's
why you still have to cast the sockaddr_* structs, so the same
function/interface would be used to operate with different socket types.

hope it helps.

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: