Re: [Snort-users] Unixsock plugin?
Dirk Geschke
> I have a question on how to use Snort unixsock plugin.
>
> 1) I followed the direction in the manual and added the line output alert_unixsock to snort.conf file.
>
> 2) Then I run the snort command like this: snort -A unsock -c snort.conf and will start to get some output inside the terminal.
note: the command line overwrites the output-plugin statement in
snort.conf. So with this options all alerts are written to the
unix domain socket.
> I was wondering if you could please let me know if I am doing this the right way or I am missing some steps?
That is the right way to activate the output to the unix domain socket.
> If I am doing this the correct way, what is it supposed to happen ultimately?
The usual fault is: You have to provide the unix domain socket so
that snort can write to it. Snort does not create the socket, so if
there is no unix domain socket at all nothing will happen...
Best regards
Dirk
--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
| di...@geschke-online.de / di...@lug-erding.de / kon...@lug-erding.de |
+----------------------------------------------------------------------+
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Dirk Geschke
> 1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: "snort -A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the command itself?
no, in this case it does not matter: Both do the same...
But if you define "output alert_unixsock" in snort.conf there is no
need to use "-A unsock", too.
> 2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?
Simply write a script/program that creates the unix domain socket
and read from it. That's all.
The socket should be in the log dir and called snort_alert.
All you need is something like this:
---
/* get a socket */
sock = socket(PF_UNIX, SOCK_DGRAM, 0) ;
/* we want a unix socket */
unix_addr.sun_family = AF_UNIX;
strcpy(unix_addr.sun_path, SocketName);
/* create the socket */
bind(sock, (struct sockaddr *) &unix_addr,length);
---
SocketName should be the name of the socket you want to create.
After this you can read from "sock" when snort writes to it.
Dirk Geschke
> 1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).
you have to create this socket so snort can write to it (on some
systems one have to ensure that the snort pocess is allowed to
write to this socket...)
If there is no socket, than all alerts are simply dropped.
> 2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good?
It looks okay, so far. You should take care of the size of
Alertpkt, this is what the output plugin writes to the socket.
This number of bytes should be read from the socket and of
course you should take care of the fields in order to extract
them correct.
If you read less bytes than are in the buffer then you will
read the remaining parts the next time and not the next alert...
> 3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this?
Simply to a blocked read from it, if data are there then you can
read them. Hence if snort writes an alert to the socket your
program can read them the same time.
> P.S. Here's the code:
> while ( true ) {
> recv($client,$data,1024,0);
> @FIELDS = unpack($TEMPLATE, $data);
I think a
$client->recv($data,1024);
would be the better way. Although Alertpkt is bigger than 1024 bytes.
But this way you should get at least the alertmsg of the first alert.
Best regards
Dirk
BTW: You can take a look at sockserv.c from FLoP for how I solved
this in C for a quite different output plugin. I adjusted and
extended the output plugin to provide more informations and
the whole pcap data. You can find the latest version of FLoP
here:
http://www.geschke-online.de/FLoP/src/FLoP-1.6.1.tar.gz