sockserv

sockserv − Threaded socket server for snort

sockserv [−bhlqv] [−A delay] [−D <dropsocket>] [−H highwater] [−I interface] [−L lowwater] [−m mode] [−M maxtry] [−N sensorname] [−p port][−P pidfile] [−s <snortsocket>] [−S server] [−V area,level] [−w dir] [−W waittime]

Threaded socket server to create an unix domain socket, read snort data from it and transfer them via TCP socket to a central server running servsock.
One thread collects the data from snort, the second thread writes this data to the server. This way the output of snort is decoupled from the engine and this will speed up the sensor.
All alerts are buffered until they are spooled to the server.
To limit the buffer size used to store alerts there is an optional drop feature. To use it servsock has to be compiled with −DDROP. If this feature is enabled (option −D) and the number of buffered alerts reaches the highwater mark then the most recent alerts are dropped to the unix socket dropsocket until the lowwater mark is reached.
A program called drop is able to create such an unix socket and work with the alerts.
If the server is not reachable or the connection breaks down servsock tries maxtry times to connect again to the server. Between eacht try there is a delay of waittime seconds. If there is no connection within these maxtry tries the program exits.

−A delay

Print every delay seconds statistics about received, sent and dropped alerts. The change of these values between delay seconds is printed in brackets. See also option −l.

−b

Start the process in the background: daemon mode. This automatically activates option −l.

−D <dropsocket>

If there are more than highwater alerts buffered then the newest alerts are dropped to <dropsocket> until the lowwater mark is reached.

−H highwater

Sets the highwater mark, see option −D. The default value is 10000.

−h

Print a help message and exit.

−I interface

Name of the interface on which snort is sniffing (optional). The sensorname plus interface must be unique, so the use of the same sensorname with different interfaces is allowed.

−l

Log statitiscs to syslog instead of stdout. See also option −A.

−L lowwater

Sets the lowwater mark, see option −D. The default value is 9900.

−m mode

Sets the umask to mode for the daemon mode. This affects the mode for the created unix socket and pid file. The mode can be either given in ascii, octal (with leading 0) or hex (with leading 0x) format.

−M maxtry

Sets the maximum number of tries to (re−) connect to the server. See also option −W.

−N sensorname

Provides the sensorname which should be used with the database. If this option is missing then the hostname is taken. With this option it is possible to run several sockserv instances on one host. But be aware to change the socket via option −s!

−p port

Defines on which port to try to reach the server running servsock. See also option −S.

−P PIDfile

Filename to store the PID. Note: This file must be writeable by the user running sockserv!

−q

Disables writing of dropped alerts to the unix socket.

−s <snortsocket>

Defines the name and directory where the unix domain socket is opened for snort. The default is /tmp/snort.

−S server

Defines the server running servsock. The name can be either a full qualified domain name or an IP address. The default is 10.200.200.1. See also option −s.

−v

Display version information.

−V area,level

Activate debug output for area (see README.debug) for informations up to level. A value of ALL activates all areas, level should be between 0 (disabled) and 9 (maximum output). This option can be used several times for different values.

−w dir

Sets the working directory in daemon mode to dir. The default is to use the current working directory. It is useful to choose "/" to avoid blocking mounted filesystems.

−W waittime

Time in seconds to wait between two connect tries to the server. See also option −M.

/tmp/snort (unix socket)
/tmp/sockserv.pid
/tmp/sockserv_{sensorname}

To run this program the standard way type:

sockserv

Alternativly you can run it as:

sockserv −S central −p 1234 −A 30

Now sockserv will try to connect to the server central on TCP port 1234 and writes statistics every 30 seconds to stdout.

To use the drop feature:

sockserv −D /tmp/drop −L 1000 −H 1100

To provide a sensor name:

sockserv −S central −p 1234 −N Sensor1

Dirk Geschke <Dirk@geschke−online.de>

The drop feature is optional and has to be compiled in separately. If it is not compiled in then the options −D, −L and −H are missing in the output of the −h option.
It is highly advisable to choose a very high highwater mark to buffer as many alerts as possible. This will reduce the possibility of information loss.
On the other hand the difference between the highwater and lowwater should not be very high. To minimize information loss the alerts are spooled via drop to a mail server. Normally this server is either located on the central server or is reached via this server.
If you spool too many alerts via drop the emails get unreadable long.
Problems should only arise if the connection to the servsock program is lost for a longer period. But if there are network problems then it is alike that drop will fail too.
Be cautious: With increasing buffer usage the memory consumtption raises with about 3 kB for each alert (actually 1360 bytes per alert plus payload). But this memory is shared with the snort process. So set the highwater to a value where it is safe for the snort process.
If a pid file exists the program checks for a running process with this id. If one is found the program exits. There is no check for which program is running, only if one runs!

servsock(8), drop(8), snort(8)