Snort mailing list archives

Re: Unixsock plugin?

From: Dirk Geschke <dirk () geschke-online de>
Date: Tue, 24 Nov 2009 16:47:11 +0100

Hi Honia,

1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: 
"snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the 
command itself?


no, in this case it does not matter: Both do the same...

But if you define "output alert_unixsock" in snort.conf there is no
need to use "-A unsock", too.

2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?


Simply write a script/program that creates the unix domain socket
and read from it. That's all.

The socket should be in the log dir and called snort_alert.

All you need is something like this:

---
/* get a socket */
sock = socket(PF_UNIX, SOCK_DGRAM, 0) ;

/* we want a unix socket */
unix_addr.sun_family = AF_UNIX;
strcpy(unix_addr.sun_path, SocketName);

/* create the socket */
bind(sock, (struct sockaddr *) &unix_addr,length);
---

SocketName should be the name of the socket you want to create.

After this you can read from "sock" when snort writes to it.

Best regards

Dirk
-- 
+----------------------------------------------------------------------+
| Dr. Dirk Geschke       / Plankensteinweg 61    / 85435 Erding        |
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| dirk () geschke-online de / dirk () lug-erding de  / kontakt () lug-erding de | 
+----------------------------------------------------------------------+

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Unixsock plugin? Honia A (Nov 23)
- Re: Unixsock plugin? Dirk Geschke (Nov 23)
  - Re: Unixsock plugin? Honia A (Nov 24)
    - Re: Unixsock plugin? Dirk Geschke (Nov 24)
    - Re: Unixsock plugin? Honia A (Nov 24)
    - Re: Unixsock plugin? Dirk Geschke (Nov 25)