Snort mailing list archives

Fwd: Parse UnixSock output with Perl Script

From: Véronique B. <snort.nsm.user () gmail com>
Date: Fri, 12 Jun 2015 09:58:31 +1200

Dear All,
I still haven't find a way to do it. Does anyone have a clue?
I tried to look at Snort Source Code, but I still don't know in which order
are the fields of the packets.

Thank you very much in advance for your help,

Regards,

Veronique
---------- Forwarded message ----------
From: Snort User <snort.nsm.user () gmail com>
Date: 2015-06-09 15:48 GMT+12:00
Subject: Parse UnixSock output with Perl Script
To: snort-users () lists sourceforge net


Dear all,
I'm trying to parse Snort output while receiving it on a Unix Socket. I'm
using Security Onion.
I'm using this Perl Script I found in several locations on the web:

#!/usr/bin/perl -w
use strict;
use warnings;

# Include the socket libraries

use IO::Socket;

# This is the template to capture the Alert Name
# Edit this to get the additional packets.
my $TEMPLATE = "A256 A*";

# Release the socket if it already exists

unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert";

# In case of user termination - exit gracefully.

$SIG{TERM} = $SIG{INT} = sub { exit 0 };

# Open up the socket.
my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, Local =>
"/nsm/sensor_data/[sensor_name]/snort-1/snort_alert") or die "Socket: $@";

print STDOUT "Socket Open ... \n";

# Loop receiving data from the socket, pulling out the
# alert name and printing it.

my $data;

while ( 1 ) {
    recv($client,$data,1024,0);
    my @MSSG = unpack($TEMPLATE, $data);
    print "$MSSG[0]\n"

}

# At termination close up the socket again.

END {unlink "/nsm/sensor_data/[sensor_name]/snort-1/snort_alert";};


A comment says we can edit the Template format to get others information.
However, I couldn't find out how to get others information: Is there a
proper description of the different data we can find in the received
packets and their order with their type, outbounds etc?
My goal is to get the following data:
- signature of the attack
- source ip address
- destination ip address
- protocol
- source and destination ports
I'm sorry I'm new to Perl and to Snort.
I also found a program in C (https://www.snort.org/faq/readme-unsock) to do
the same thing but I didn't find out how to make it works in Security Onion
(there is no "snort.h" library anywhere).

Thank you in advance!

Regards,


Veronique

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Fwd: Parse UnixSock output with Perl Script Snort User (Jun 08)
- <Possible follow-ups>
- Fwd: Parse UnixSock output with Perl Script Véronique B . (Jun 11)
  - Re: Fwd: Parse UnixSock output with Perl Script Victor Roemer (Jun 15)