Re: unixsock output plugin for snort Alerts

["Dilipan Janarthanan (djanarth)" <djanarth () cisco com>]

Hi Carter, Thanks for your answer!
Any particular reason why this plugin does not need packet 'disposition' information? To be comparable to the output 
that are produced by other output plugins, can we have this to unixsock as well?

And thanks for clarifying the packet size.

Regards,
Dilipan

From: "Carter Waxman (cwaxman)" <cwaxman () cisco com<mailto:cwaxman () cisco com>>
Date: Wednesday, 13 May 2015 6:35 pm
To: Dilipan Janarthanan <djanarth () cisco com<mailto:djanarth () cisco com>>, "snort-devel () lists sourceforge 
net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists 
sourceforge net>>
Subject: Re: [Snort-devel] unixsock output plugin for snort Alerts

Hi Dilipan,

We currently do not include support for that under the unixsock output plugin. If you would like to add the 
functionality to your alerting format, see how we use Active_GetDisposition() under fast and unified2 logging.

As for the packet size, the alert plugin may be handling alerts from rebuilt packets, which may reach that 65535 byte 
bound.

Let us know if you have any questions!
Thanks,
Carter

From: "Dilipan Janarthanan (djanarth)" <djanarth () cisco com<mailto:djanarth () cisco com>>
Date: Wednesday, May 13, 2015 at 5:05 AM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: Re: [Snort-devel] unixsock output plugin for snort Alerts

Hello,
Any insights to this problem, pl?

Appreciate your help!
-Dilipan

From: Dilipan Janarthanan <djanarth () cisco com<mailto:djanarth () cisco com>>
Date: Monday, 11 May 2015 4:20 pm
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] unixsock output plugin for snort Alerts

Hi, Team,

Would like to use alert_unixsock output plugin for logging alerts mainly to avoid using the disk when an alert is 
produced. I’m able to get the alert, but I fail to find the ‘action’ (drop/alert/wdrop) information in the sock output. 
How do we get this information with this plugin?

Also I notice that the ‘pkt' field in the alertpkt structure (spo_alert_unixsock.h) has been hardcoded to 65535. Is it 
not sufficient enough to use SNAPLEN as the size of this field instead of max size?


typedef struct _Alertpkt

{

    uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */

    struct pcap_pkthdr32 pkth;

    uint32_t dlthdr;       /* datalink header offset. (ethernet, etc.. ) */

    uint32_t nethdr;       /* network header offset. (ip etc...) */

    uint32_t transhdr;     /* transport header offset (tcp/udp/icmp ..) */

    uint32_t data;

    uint32_t val;  /* which fields are valid. (NULL could be

                    * valids also) */

    /* Packet struct --> was null */

#define NOPACKET_STRUCT 0x1

    /* no transport headers in packet */

#define NO_TRANSHDR    0x2

    uint8_t pkt[65535];

    Event event;

} Alertpkt;


Regards,
Dilipan

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!