File: README.UNSOCK

package info (click to toggle)
snort 2.3.2-3
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 22,244 kB
  • ctags: 11,282
  • sloc: ansic: 70,376; sh: 4,364; makefile: 744; perl: 478; sql: 212
file content (152 lines) | stat: -rw-r--r-- 4,655 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
$Id: README.UNSOCK,v 1.6 2004/01/15 20:38:07 jh8 Exp $

It is possible to send alert messages and some packet relevant data
from snort through a unix socket, to perform additional separate
processing of alert data. 
Snort has to be built with spo_unsock.c/h output plugin is built in and
-A unsock (or its equivalent through the config file) is
used. The unix socket file should be created in /dev/snort_alert. Your
'client' code should act as 'server' listening to this unix socket.
Snort will be sending you Alertpkt structures which contain alert
message, event id. Original datagram, libpcap pkthdr, and offsets to
datalink, netlayer, and transport layer headers.

Below is an example how unix sockets could be used. If you have any
comments bug reports, and feature requests, please contact
snort-devel@lists.sourceforge.net or drop me an email to fygrave at
tigerteam dot net.

-Fyodor

[for copyright notice, see snort distribution code]

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <signal.h>
#include "snort.h"

int sockfd;

void
sig_term (int sig)
{
  printf ("Exiting!\n");
  close (sockfd);
  unlink (UNSOCK_FILE);
  exit (1);
}

int
main (void)
{
  struct sockaddr_un snortaddr;
  struct sockaddr_un bogus;
  Alertpkt alert;
  Packet *p;
  int recv;
  socklen_t len = sizeof (struct sockaddr_un);

  if ((sockfd = socket (AF_UNIX, SOCK_DGRAM, 0)) < 0)
    {
      perror ("socket");
      exit (1);
    }

  bzero (&snortaddr, sizeof (snortaddr));
  snortaddr.sun_family = AF_UNIX;
  strcpy (snortaddr.sun_path, UNSOCK_FILE);


  if (bind (sockfd, (struct sockaddr *) &snortaddr, sizeof (snortaddr)) < 0)
    {
      perror ("bind");
      exit (1);
    }

  signal(SIGINT, sig_term);

  while ((recv = recvfrom (sockfd, (void *) &alert, sizeof (alert),
                   0, (struct sockaddr *) &bogus, &len)) > 0)
    {

 /* do validation of recv if you care */

      if (!(alert.val & NOPACKET_STRUCT))
        {
          if ((p = calloc (1, sizeof (Packet))) == NULL)
            {
              perror ("calloc");
              exit (1);
            }

          p->pkt = alert.pkt;
          p->pkth = &alert.pkth;
          if (alert.dlthdr)
            p->eh = (EtherHdr *) (alert.pkt + alert.dlthdr);
          if (alert.nethdr)
            {
              p->iph = (IPHdr *) (alert.pkt + alert.nethdr);
              if (alert.transhdr)
                {
                  switch (p->iph->ip_proto)
                    {
                    case IPPROTO_TCP:
                      p->tcph = (TCPHdr *) (alert.pkt + alert.transhdr);
                      break;
                    case IPPROTO_UDP:
                      p->udph = (UDPHdr *) (alert.pkt + alert.transhdr);
                      break;
                    case IPPROTO_ICMP:
                      p->icmph = (ICMPHdr *) (alert.pkt + alert.transhdr);
                      break;
                    default:
	              printf ("My, that's interesting.\n");
                    }                /* case */
                }                /* thanshdr */
            }                        /* nethdr */
          if (alert.data)
            p->data = alert.pkt + alert.data;

          /*  now  do whatever you want with these packet structures */
        }                        /* if (!NOPACKET_STRUCT) */

      printf ("%s [%d]\n", alert.alertmsg, alert.event.event_id);
      if (!(alert.val & NOPACKET_STRUCT))
        if (p->iph && (p->tcph || p->udph || p->icmph))
          {
            switch (p->iph->ip_proto)
              {
              case IPPROTO_TCP:
                printf ("TCP from: %s:%d ",
                        inet_ntoa (p->iph->ip_src),
                        ntohs (p->tcph->th_sport));
                printf ("to: %s:%d\n", inet_ntoa (p->iph->ip_dst),
                        ntohs (p->tcph->th_dport));
                break;
              case IPPROTO_UDP:
                printf ("UDP from: %s:%d ",
                        inet_ntoa (p->iph->ip_src),
                        ntohs (p->udph->uh_sport));
                printf ("to: %s:%d\n", inet_ntoa (p->iph->ip_dst),
                        ntohs (p->udph->uh_dport));
                break;
              case IPPROTO_ICMP:
                printf ("ICMP type: %d code: %d from: %s ",
                        p->icmph->type,
                        p->icmph->code, inet_ntoa (p->iph->ip_src));
                printf ("to: %s\n", inet_ntoa (p->iph->ip_dst));
                break;
              }
          }

    }

  perror ("recvfrom");
  close (sockfd);
  unlink (UNSOCK_FILE);

  return 0;
}