Hosting Provided By

[Snort-devel] unsock and output directive

From: Alan Milligan <alan(at)balclutha.org>
Date: Sun Mar 14 2004 - 23:54:28 EST

I stated a couple of weeks ago that I was having problems with unixsock not working properly. I've been caught up in a few other things since then and have only had a brief chance to investigate further.

But there absolutely definitely is a bug, and it has something to do with the output plugin's invokation as specified in a config directive. >From the command line with -A unsock everything works, however I get nothing from my ruletype directive invokation (although other plugins do work). I've included these directives below.

If anybody has come across this and fixed it, please let me know, otherwise I will track it down over the next week or so.

Cheers, Alan

#
# Enchant Traffic Monitor stuff ...
#

ruletype monitor {

type alert
# this next guy is logging everything - but have to do something to
# reassemble pkt to get size??? (also can probably do some funky binary
# mode but this -b option seems to override conf file output params...)
# output log_tcpdump: /var/log/snort/traffic
# this next guy only puts to/from port info - no pkt sizes
# output alert_fast: /var/log/snort/traffic
# this next guy splits headers from packets in files :(
# output alert_full: /var/log/snort/traffic
# this next guy doesn't seem to be working :(

Do you need help?

output alert_unixsock
# this next one should work with 2.1.1 which has our csv patch ...
output alert_CSV: /var/log/snort/traffic proto,src,srcport,dst,dstport,ethlen
}

# all traffic ...

monitor tcp  $EXTERNAL_NET any <> $HOME_NET any
monitor udp  $EXTERNAL_NET any <> $HOME_NET any
monitor icmp $EXTERNAL_NET any <> $HOME_NET any





-------------------------------------------------------

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Mar 15 00:00:40 2004

This message: [ Message body ]
Next message: Bill McCarty: "[Snort-devel] Snort 2.0.6 fires alerts irrespective of protocol speciifer"
Previous message: Martin Roesch: "[Snort-devel] stream changes in CVS"
In reply to: Nick Zitzmann: "Re: [Snort-devel] spo_cvs.c bugs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:10 EDT