[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] Information Request about snort unix socket
From:       Giancarlo Capone <giancarlo.capone () yahoo ! com>
Date:       2014-10-26 11:16:41
Message-ID: F71D9A97-402C-41A1-AF69-C564E34BF5FA () yahoo ! com
[Download RAW message or body]

Good morning to all of you,
I'm an Italian student, and I've successfully installed snort as NIDS on an OpenSuse \
Virtual Machine. 

Now I'm trying to make snort printing alerts on unix-socket. I've firstly tried a \
perl script that listens to the unix socket created by snort: it works fine, but I'm \
only able to catch the "msg" I've written in the rule, but I'm not able to catch \
other info about the data packet itself. For instance I'd like to get ip source \
address and destination, as many other info. 

I've read the C code provided in the README.UNSOCK file, but when I try to compile \
it, there is a problem because, obviously, the compiler doesn't find the snort.h \
file. Can you give any suggestion about how to resolve this issue? I've tried to find \
this file in snort folders, but unsuccessfully. 

I'd like also to ask you another question, because I don't also understand where in \
the C code it starts listening to the unix socket. In perl code (that I've written at \
the bottom of this email) I use the following code :"Local => \
"$ENV{HOME}/snort_alert")" to define the location of the unix socket I want to listen \
to.

I thank you in advance, and I'm sorry if my English is not so good.

Have a nice day, 
Giancarlo Capone.

PS. I write here the perl script I've found on internet: 

#!/usr/bin/perl
# Include the socket libraries
use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.
$TEMPLATE = "A256 A*";

# Release the socket if it already exists
unlink "$ENV{HOME}/snort_alert";

# In case of user termination - exit gracefully.
$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,
                 Local => "$ENV{HOME}/snort_alert")
                 or die "Socket: $@";

  print STDOUT "Socket Opened ... \n";

# Loop receiving data from the socket, pulling out the
# alert name and printing it.
my $data;

  while ( true ) {
  print STDOUT "\n \n \n Before receive rcv... \n";
      recv($client,$data,1024,0);
      @FIELDS = unpack($TEMPLATE, $data);
      # print "@FIELDS \n";
	print "@FIELDS[0] \n";
  }

  # At termination close up the socket again.
  END {unlink "$ENV{HOME}/snort_alert";}


------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]