,
I have created a unix socket (TCP as well as UDP). I have tested it with a client and it works well. When I try to send alert to unix socket via snort I do not receive any alert. I have uncomment "alert_sfsocket = { }" in snort.lua config file and also used -A alert_unixsock. If i use -L dump it shows alerts on console.
command on terminal: sudo snort -i ens33 -c ~username/snort_src/snort3/lua/snort.lua -R ~usernamer/snort_src/snort3/lua/snort3-community.rules -A alert_unixsock -l ~username/tmp.
Kindly guide me what else I have to configure so that I receive alerts on unix socket.
Thanks.
Syed Shabbar Raza Zaidi ,
Let us start with the basic troubleshooting.
- Since you are using sudo I am assuming it is Linux and if so what version?
- Was the client that you used to test the socket on the same machine.
- Do you have a default firewall configuration on your receiving machine?
- Does Snort have permissions to send to open sockets (in case it is a privilege port and you are using mandatory access control) ?
Let me know
I am not an expert in this area but a few of my colleagues recommended the below-mentioned site to get answers to certain queries, please find the details.
https://www.snort.org/faq
I am using Ubuntu 20
Socket and snort both are on the same machine
I am using default configuration and using rule to detect icmp packet. It shows on console
alert icmp any any -> any any ( msg:"PROTOCOL-ICMP Address Mask Request undefined code";icode:>0;sid:1)
I open snort in root so that to give it all rights.
I have installed snort 2 to check if it works. snort 2 is sending alerts on UDP socket
Wireshark will not capture traffic of unix socket. It only captures traffic on interface.
You are correct I did not pay attention that they were Unix sockets (thought by default that they were Berkley sockets), I just focused TCP as well as UDP (which you can catch the information being sent by Snort by your socket by simulating a Syslog server).
Now Unix sockets are interprocess communication that store information in files.
Unix sockets do not work with TCP/IP since they work via filenames. The Unix socket from snort will probably just send it to your log file destination.
If you are trying to get information to a secondary program (which is the only reason I would try to send information from Snort) i would suggest setting snort to send to Syslog server and catch the information by simulating a Syslog server (and you can use Wireshark to troubleshoot your socket).
- Badges
- Science topic
- Similar topics
- Biological Science
- Bioecology
- Systems Ecology
- Landscape Ecology
- Connectivity