Problem
You want your alert to go to a program of your choice.
Solution
The alert_unixsock output plug-in opens a Unix socket and sends all alerts to it. It takes no options:
output alert_unixsock
Discussion
Unix sockets are commonly mistaken for TCP/IP sockets. While there are many similarities in the way they're handled internally, you won't be able to connect to a Unix socket from another machine. These are purely for local interprocess communication. There is quite a big giveaway in the name of this plug-in that indicates that this is not for use on the Windows platform.
The alert_unixsock plug-in will send all alerts to the snort_alert file in the current Snort logging directory. For example, if you start Snort as follows:
snort -c /etc/snort/snort.conf -l /tmp
Snort will attempt to log to the /tmp/snort_alert file. Snort makes no attempt to create this file, and will report an error should the file not exist or be unwriteable. This won't, however, stop Snort from starting, and when the socket is created, it will start to push alerts to it.
Most, if not all, Unix programming languages will include commands for manipulating sockets. If you search the Internet, you can find example C code to create, open, close, and read from sockets. You'll even find some examples specific to the alert_unixsock plug-in. The following example is given in Perl:
#!/usr/bin/perl # Include the socket libraries use IO::Socket; # This is the template to capture the Alert Name # Edit this to get the additional packets. $TEMPLATE = "A256 A*"; # Release the socket if it already exists unlink "/var/log/snort/snort_alert"; # In case of user termination - exit gracefully. $SIG{TERM} = $SIG{INT} = sub { exit 0 }; # Open up the socket. my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local => "/var/log/snort/snort_alert") or die "Socket: $@"; print STDOUT "Socket Open ... "; # Loop receiving data from the socket, pulling out the # alert name and printing it. my $data; while ( true ) { recv($client,$data,1024,0); @FIELDS = unpack($TEMPLATE, $data); print "@FIELDS[0] "; } # At termination close up the socket again. END {unlink "/var/log/snort/snort_alert";}
This code finds the alert name from the datagram sent and prints it out. Far more information is included in the datagram, including the raw packet data. This is left as an exercise for the reader to implement.
See Also
Christiansen, Tom and Nathan Torkington. "Recipe 17.6: Using Unix Domain Sockets." In Perl Cookbook. Sebastopol, CA: O'Reilly, 2003.
Not Logging |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index