Logging to a Unix Socket

Table of contents:

Problem

You want your alert to go to a program of your choice.

Solution

The alert_unixsock output plug-in opens a Unix socket and sends all alerts to it. It takes no options:

output alert_unixsock

 

Discussion

Unix sockets are commonly mistaken for TCP/IP sockets. While there are many similarities in the way they're handled internally, you won't be able to connect to a Unix socket from another machine. These are purely for local interprocess communication. There is quite a big giveaway in the name of this plug-in that indicates that this is not for use on the Windows platform.

The alert_unixsock plug-in will send all alerts to the snort_alert file in the current Snort logging directory. For example, if you start Snort as follows:

snort -c /etc/snort/snort.conf -l /tmp

Snort will attempt to log to the /tmp/snort_alert file. Snort makes no attempt to create this file, and will report an error should the file not exist or be unwriteable. This won't, however, stop Snort from starting, and when the socket is created, it will start to push alerts to it.

Most, if not all, Unix programming languages will include commands for manipulating sockets. If you search the Internet, you can find example C code to create, open, close, and read from sockets. You'll even find some examples specific to the alert_unixsock plug-in. The following example is given in Perl:

#!/usr/bin/perl

 

# Include the socket libraries

 

use IO::Socket;

 

# This is the template to capture the Alert Name

# Edit this to get the additional packets.

 

$TEMPLATE = "A256 A*"; 

 

# Release the socket if it already exists

 

unlink "/var/log/snort/snort_alert";

 

# In case of user termination - exit gracefully.

 

$SIG{TERM} = $SIG{INT} = sub { exit 0 };

 

# Open up the socket.

my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,

 Local => "/var/log/snort/snort_alert")

 or die "Socket: $@";

 

print STDOUT "Socket Open ... 
";

 

# Loop receiving data from the socket, pulling out the

# alert name and printing it.

 

my $data;

 

while ( true ) {

 recv($client,$data,1024,0);

 @FIELDS = unpack($TEMPLATE, $data);

 

 print "@FIELDS[0] 
";

 

}

 

# At termination close up the socket again.

 

END {unlink "/var/log/snort/snort_alert";}

This code finds the alert name from the datagram sent and prints it out. Far more information is included in the datagram, including the raw packet data. This is left as an exercise for the reader to implement.

See Also

Christiansen, Tom and Nathan Torkington. "Recipe 17.6: Using Unix Domain Sockets." In Perl Cookbook. Sebastopol, CA: O'Reilly, 2003.

Not Logging

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net