unixsock output plugin for snort Alerts

["Dilipan Janarthanan (djanarth)" <djanarth () cisco com>]

Hi, Team,

Would like to use alert_unixsock output plugin for logging alerts mainly to avoid using the disk when an alert is 
produced. I’m able to get the alert, but I fail to find the ‘action’ (drop/alert/wdrop) information in the sock output. 
How do we get this information with this plugin?

Also I notice that the ‘pkt' field in the alertpkt structure (spo_alert_unixsock.h) has been hardcoded to 65535. Is it 
not sufficient enough to use SNAPLEN as the size of this field instead of max size?


typedef struct _Alertpkt

{

    uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */

    struct pcap_pkthdr32 pkth;

    uint32_t dlthdr;       /* datalink header offset. (ethernet, etc.. ) */

    uint32_t nethdr;       /* network header offset. (ip etc...) */

    uint32_t transhdr;     /* transport header offset (tcp/udp/icmp ..) */

    uint32_t data;

    uint32_t val;  /* which fields are valid. (NULL could be

                    * valids also) */

    /* Packet struct --> was null */

#define NOPACKET_STRUCT 0x1

    /* no transport headers in packet */

#define NO_TRANSHDR    0x2

    uint8_t pkt[65535];

    Event event;

} Alertpkt;


Regards,
Dilipan

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!