Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Unsock Output Issues

From: Korodev <korodev () gmail com>
Date: Tue, 24 May 2011 16:32:33 -0500
I've been playing with Snort's unsock output to plug into an existing
app that does some custom reporting and notification work. For
reference, I'm running 2.9.0.5 and FreeBSD 8.2

The unsock readme says that snort writes to /dev/snort_alert, which
I'm assuming is quite dated. Analysis of the spo_alert_unixsock code
shows that snort is looking at snort_conf->log_dir, which ultimately
(with the define) points to /var/log/snort/snort_alert.

To do some troubleshooting, I wrote a minimal socket server that opens
a unix dgram socket at /var/log/snort/snort_alert, printing all recv'd
data, and a test client to send data to the socket. Everything there
works as expected.

According to the output plugin code, it should throw plenty of errors
when having trouble creating the socket. Sockstat shows that my
server/listener is active and listening on the right socket, but
interestingly enough, shows an entry for Snort with "(not connected)"
under the local address field.

I know creating the socket doesn't actually connect it, and saw that
there doesn't seem to be a connect statement in the output plugin.
Once I added a connect(alertsd, (struct sockaddr *) &alertaddr,
sizeof(alertaddr) statement, then sockstat at least shows that snort
is connecting to the socket, but the sendto statement is still
failing.

Anyone have any exp with this? Feeling like I'm really close :)

Thanks,

\\korodev

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: