Re: Fwd: Parse UnixSock output with Perl Script

[Victor Roemer <viroemer () cisco com>]

Veronique,

I think that this is the data structure that you are looking for. I did 
not look
at the perl script, but decoding this with perl will feel uncomfortable.

pathname: src/output-plugins/spo_alert_unixsock.h

--- snip ---

typedef struct _Alertpkt
{
    uint8_t alertmsg[ALERTMSG_LENGTH]; /* variable.. */
    struct pcap_pkthdr32 pkth;
    uint32_t dlthdr;       /* datalink header offset. (ethernet, etc.. ) */
    uint32_t nethdr;       /* network header offset. (ip etc...) */
    uint32_t transhdr;     /* transport header offset (tcp/udp/icmp ..) */
    uint32_t data;
    uint32_t val;          /* which fields are valid. (NULL could be 
valids also) */
    /* Packet struct --> was null */
#define NOPACKET_STRUCT 0x1
    /* no transport headers in packet */
#define NO_TRANSHDR    0x2
    uint8_t pkt[65535];
    Event event;
} Alertpkt;

--- end-snip ---


Note that there is the "Event" as the last element. It looks like this
is the data that you want (cleaned up a bit).

pathname: src/event.h

--- snip ---

typedef struct _Event
{
    uint32_t sig_generator;
    uint32_t sig_id;
    uint32_t sig_rev;
    uint32_t classification;
    uint32_t priority;
    uint32_t event_id;
    uint32_t event_reference;
    struct sf_timeval32 ref_time;

#if defined(FEAT_OPEN_APPID)

#define MAX_EVENT_APPNAME_LEN  16
    char app_name[MAX_EVENT_APPNAME_LEN];
#endif

} Event;

--- end-snip ---


Hope this helps... although, why not use unified2? It is much better 
documented,
and there are a number of tools for it which are opensource too: Including
barnyard, et al. (and some of my own)


On 6/11/15 17:58, Véronique B. wrote:
> Dear All,
> I still haven't find a way to do it. Does anyone have a clue?
> I tried to look at Snort Source Code, but I still don't know in which 
> order are the fields of the packets.
>
> Thank you very much in advance for your help,
>
> Regards,
>
> Veronique
> ---------- Forwarded message ----------
> From: *Snort User* <snort.nsm.user () gmail com 
> <mailto:snort.nsm.user () gmail com>>
> Date: 2015-06-09 15:48 GMT+12:00
> Subject: Parse UnixSock output with Perl Script
> To: snort-users () lists sourceforge net 
> <mailto:snort-users () lists sourceforge net>
>
>
> Dear all,
> I'm trying to parse Snort output while receiving it on a Unix Socket. 
> I'm using Security Onion.
> I'm using this Perl Script I found in several locations on the web:
>
> #!/usr/bin/perl -w
> use strict;
> use warnings;
>
> # Include the socket libraries
>
> use IO::Socket;
>
> # This is the template to capture the Alert Name
> # Edit this to get the additional packets.
> my $TEMPLATE = "A256 A*";
>
> # Release the socket if it already exists
>
> unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert";
>
> # In case of user termination - exit gracefully.
>
> $SIG{TERM} = $SIG{INT} = sub { exit 0 };
>
> # Open up the socket.
> my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local => 
> "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert") or die "Socket: $@";
>
> print STDOUT "Socket Open ... \n";
>
> # Loop receiving data from the socket, pulling out the
> # alert name and printing it.
>
> my $data;
>
> while ( 1 ) {
> recv($client,$data,1024,0);
>     my @MSSG = unpack($TEMPLATE, $data);
>     print "$MSSG[0]\n"
>
> }
>
> # At termination close up the socket again.
>
> END {unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert";};
>
>
> A comment says we can edit the Template format to get others 
> information. However, I couldn't find out how to get others 
> information: Is there a proper description of the different data we 
> can find in the received packets and their order with their type, 
> outbounds etc?
> My goal is to get the following data:
> - signature of the attack
> - source ip address
> - destination ip address
> - protocol
> - source and destination ports
> I'm sorry I'm new to Perl and to Snort.
> I also found a program in C (https://www.snort.org/faq/readme-unsock) 
> to do the same thing but I didn't find out how to make it works in 
> Security Onion (there is no "snort.h" library anywhere).
>
> Thank you in advance!
>
> Regards,
>
>
> Veronique
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!