Re: Unixsock plugin?

[Honia A <honia2002 () hotmail com>]

Hi Dirk,

 

Thanks much for your reply, I really appreciate it. 


1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).


2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good? 

 

3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this?

 

Thanks so much,
h

 

P.S. Here's the code:


 

#!/usr/bin/perl

# Include the socket libraries

use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.

$TEMPLATE = "A256 A*";

# Release the socket if it already exists

unlink "/var/log/snort/snort_alert";

# In case of user termination - exit gracefully.

$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
                   Local => "/var/log/snort/snort_alert")
  or die "Socket: $@";

print STDOUT "Socket Open ... \n";

# Loop receiving data from the socket, pulling out the
# alert name and printing it.

my $data;

while ( true ) {
    recv($client,$data,1024,0);
    @FIELDS = unpack($TEMPLATE, $data);

    print "@FIELDS[0] \n";

}

# At termination close up the socket again.

END {unlink "/var/log/snort/snort_alert";}


 



 


 


 

> Date: Tue, 24 Nov 2009 16:47:11 +0100
> From: dirk () geschke-online de
> To: honia2002 () hotmail com
> CC: dirk () geschke-online de; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Unixsock plugin?
>
> Hi Honia,
>
> > 1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: 
> > "snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the 
> > command itself? 
>
> no, in this case it does not matter: Both do the same...
>
> But if you define "output alert_unixsock" in snort.conf there is no
> need to use "-A unsock", too.
>
> > 2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?
>
> Simply write a script/program that creates the unix domain socket
> and read from it. That's all.
>
> The socket should be in the log dir and called snort_alert.
>
> All you need is something like this:
>
> ---
> /* get a socket */
> sock = socket(PF_UNIX, SOCK_DGRAM, 0) ;
>
> /* we want a unix socket */
> unix_addr.sun_family = AF_UNIX;
> strcpy(unix_addr.sun_path, SocketName);
>
> /* create the socket */
> bind(sock, (struct sockaddr *) &unix_addr,length);
> ---
>
> SocketName should be the name of the socket you want to create.
>
> After this you can read from "sock" when snort writes to it.
>
> Best regards
>
> Dirk
> -- 
> +----------------------------------------------------------------------+
> | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
> | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
> | dirk () geschke-online de / dirk () lug-erding de / kontakt () lug-erding de | 
> +----------------------------------------------------------------------+
                                          
_________________________________________________________________
Windows 7: I wanted simpler, now it's simpler. I'm a rock star.
http://www.microsoft.com/Windows/windows-7/default.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:112009

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users