Snort mailing list archives
Fwd: Parse UnixSock output with Perl Script
From: Snort User <snort.nsm.user () gmail com>
Date: Tue, 9 Jun 2015 15:58:02 +1200
Dear all, I'm trying to parse Snort output while receiving it on a Unix Socket. I'm using Security Onion. I'm using this Perl Script I found in several locations on the web: #!/usr/bin/perl -w use strict; use warnings; # Include the socket libraries use IO::Socket; # This is the template to capture the Alert Name # Edit this to get the additional packets. my $TEMPLATE = "A256 A*"; # Release the socket if it already exists unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert"; # In case of user termination - exit gracefully. $SIG{TERM} = $SIG{INT} = sub { exit 0 }; # Open up the socket. my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local => "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert") or die "Socket: $@"; print STDOUT "Socket Open ... \n"; # Loop receiving data from the socket, pulling out the # alert name and printing it. my $data; while ( 1 ) { recv($client,$data,1024,0); my @MSSG = unpack($TEMPLATE, $data); print "$MSSG[0]\n" } # At termination close up the socket again. END {unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert";}; A comment says we can edit the Template format to get others information. However, I couldn't find out how to get others information: Is there a proper description of the different data we can find in the received packets and their order with their type, outbounds etc? My goal is to get the following data: - signature of the attack - source ip address - destination ip address - protocol - source and destination ports I'm sorry I'm new to Perl and to Snort. I also found a program in C (https://www.snort.org/faq/readme-unsock) to do the same thing but I didn't find out how to make it works in Security Onion (there is no "snort.h" library anywhere). Thank you in advance! Regards, Veronique
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Parse UnixSock output with Perl Script Snort User (Jun 08)
- <Possible follow-ups>
- Fwd: Parse UnixSock output with Perl Script VĂ©ronique B . (Jun 11)
- Re: Fwd: Parse UnixSock output with Perl Script Victor Roemer (Jun 15)