Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort -A unsock feature

From: Yuri Leikind <y.leikind () sam-solutions net>
Date: Fri, 25 Apr 2003 18:36:14 +0300
Hello all,

I am trying to use Snort's ability to write alerts to 
a UnixSocket.

For testing purposes I've written a single rule:

alert tcp any any -> MyIP   22 (msg:"Someone is using ssh to
connect to me";)

If I run snort like this:

 snort -de -l log -h MyIP -c rule -A full

I get the alerts in the alert file in the ./log directory, if someone
connects to me via ssh.

But if I use

 snort -de -l log -h MyIP -c rule -A unsock

and a simple script written in Ruby to listen to the socket:


     require 'socket'
     file = "/dev/snort_alert"

     sock = UNIXServer.open(file)

     while s = sock.accept
        puts "gotcha"
        p  s.recvfrom(1) # or any number of bytes
     end


I get nothing.

Has anyone used this feature?


-- 
Best regards,
Yuri Leikind


"... 5 years from now everyone will be running free 
GNU on their 200 MIPS, 64M SPARCstation-5."

Andy Tanenbaum to Linus Torvalds 
in comp.lang.minix on Jan 1, 1992
http://groups.google.com/groups?lr=&selm=12615%40star.cs.vu.nl


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: