Snort Unix Socket Output module in Security Onion
381 views
Skip to first unread message
Veronique
Jun 11, 2015, 7:07:20 AM6/11/15
to securit...@googlegroups.com
Dear all,
I'm trying to use the Unix Socket output module of Snort and I tried to use the C program provided by Snort developpers:
https://github.com/jasonish/snort/blob/master/doc/README.UNSOCK
However, this programs doesn't compile because it can't find 'snort.h' library.
Would you have any clue on how I could implement it to make it works?
I tried to download Snort source but I run into a lot of 'include' library errors.
There are others ways such as Perl, Python or Bash script but we need to parse the binary logs and I didn't find how to parse Snort output.
Thank you in advance for your answer !
Regards,
Veronique
I'm trying to use the Unix Socket output module of Snort and I tried to use the C program provided by Snort developpers:
https://github.com/jasonish/snort/blob/master/doc/README.UNSOCK
However, this programs doesn't compile because it can't find 'snort.h' library.
Would you have any clue on how I could implement it to make it works?
I tried to download Snort source but I run into a lot of 'include' library errors.
There are others ways such as Perl, Python or Bash script but we need to parse the binary logs and I didn't find how to parse Snort output.
Thank you in advance for your answer !
Regards,
Veronique
Doug Burks
Jun 11, 2015, 7:36:32 AM6/11/15
to securit...@googlegroups.com
barnyard2 is already parsing the binary unified2 logs and sending them
to 3 different outputs by default:
- Sguil
- Snorby
- Syslog
Have you considered one of the following?
- reconfigure syslog to send alerts to an additional destination,
where your custom Perl/Python/Bash script could then parse the
human-readable ASCII logs
OR
- or perhaps reconfigure barnyard2.conf to use one of the other
barnyard2 output plugins:
https://github.com/firnsy/barnyard2/tree/master/src/output-plugins
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Veronique
Jun 11, 2015, 11:15:12 PM6/11/15
to securit...@googlegroups.com
Thank you for your answer!
Actually, I'm trying to get the information in realtime, the best one possible, that's why I was trying to get the alert directly from Snort into my program so nothing else is running between both.
I finally got to decrypt the binary alert to get the information I want, using a Python Script:
#! /usr/bin/env python
import os
import socket
import struct
# from src/decode.h
ALERTMSG_LENGTH = 256
SNAPLEN = 1500
def main():
s = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
# This format does NOT include the 'Event' struct which is the last element
# of the _AlertPkt struct in src/output-plugins/spo_alert_unixsock.h
# Thus, we must truncate the messages ('datain[:fmt_size]') before passing
# them to struct.unpacket()
fmt = "%ds9I%ds" % (ALERTMSG_LENGTH, SNAPLEN)
fmt_size = struct.calcsize(fmt)
try:
os.remove("logs/snort_alert")
except OSError:
pass
s.bind("logs/snort_alert")
while True:
try:
(datain, addr) = s.recvfrom(4096)
(msg, ts_sec, ts_usec, caplen, pktlen, dlthdr, nethdr, transhdr, data, val, pkt) = struct.unpack(fmt, datain[:fmt_size])
# to print the message
print(msg);
# optionally, do something with the pcap pkthdr (ts_sec + ts_usec +
# caplen + pktlen) and packet body (pkt)
# to print the ip address of the origin packet: nethdr is the offset of the network information in the packet pkt, so you need to offset in pkt to the network information + offset to the desire information and convert it.
print(struct.unpack(">I",pkt[nethdr+12:nethdr+16])[0]);
# and so on for others information
except(struct.error) as e:
print ("bad message? (msglen=%d): %s" % (len(datain), e.message))
if __name__ == '__main__':
main()
Reply all
Reply to author
Forward
0 new messages