<div dir="ltr"><div>Jones,</div><div><br></div><div>This is my final code... but it does not connect.</div><div><br></div><div>import socket</div><div>import suricatasc</div><div><br></div><div><i>def RunPcap():</i></div><div><i>        soc = "/var/run/suricata/suricata-command.socket"</i></div><div><i>        sc = suricatasc.SuricataSC(soc)</i></div><div><i>        sc.connect()</i></div><div><i>        sc.send_command("pcap-file /2014-09-24-Fiesta-EK-traffic.pcap test/")</i></div><div><i>        s.close()</i></div><div><i>RunPcap()</i><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 7:31 PM, Jones, Jason <span dir="ltr"><<a href="mailto:jasonjones@arbor.net" target="_blank">jasonjones@arbor.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Correct, place the path to your socket file in place of <socket file>, e.g.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><font color="#000000">    <span style="font-family:arial;font-size:small">soc = "/va</span><span style="font-size:small;font-family:arial">r/run/suricata/suricata-</span><span style="font-size:small;font-family:arial">command.socket"</span></font></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><font color="#000000"><span style="font-size:small;font-family:arial">    </span><i style="font-size:small">sc = suricatasc.SuricataSC(soc)</i></font></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><font color="#000000"><i style="font-size:small"><br></i></font></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><font color="#000000"><span style="font-size:small">One thing to remember when sending commands is that the pcap-file-name and output-dir should probably be absolute paths instead of relative paths since the suricata socket doesn't have a concept of where you are communicating with it from.</span></font></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 2:07 PM, Versnel Diemen <span dir="ltr"><<a href="mailto:versneldiemen@gmail.com" target="_blank">versneldiemen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Jason,<div><br></div><div>What do you mean with </div><span><div><span style="font-family:arial,helvetica,sans-serif;font-size:13px"><i>sc = suricatasc.SuricataSC(<socket file>)</i></span></div><div><br></div></span><div>I get invalid syntax as error. Do i have to fill in something at  <span style="font-family:arial,helvetica,sans-serif;font-size:13px"><i>(<socket file>)</i> ?</span></div><div><font face="arial, helvetica, sans-serif">Is </font><span style="font-style:italic;font-size:13px;font-family:arial,sans-serif">"/var/run/suricata/suricata-</span><span style="font-size:13px;font-family:arial,sans-serif"><i>command.socket" </i>the socket file?</span></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 6:58 PM, Jones, Jason <span dir="ltr"><<a href="mailto:jasonjones@arbor.net" target="_blank">jasonjones@arbor.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">If you want to do full automated scripting you should use the suricatasc module that should get installed with suricata</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">    import suricatasc</div><div class="gmail_default"><span style="font-family:arial,helvetica,sans-serif;font-size:small">   </span><span style="font-family:arial,helvetica,sans-serif;font-size:small"> </span><font face="arial, helvetica, sans-serif">sc = suricatasc.SuricataSC(<socket file>)</font><br></div><div class="gmail_default"><span style="font-family:arial,helvetica,sans-serif;font-size:small">   </span><span style="font-family:arial,helvetica,sans-serif;font-size:small"> </span><font face="arial, helvetica, sans-serif">sc.connect()</font></div><div class="gmail_default"><span style="font-family:arial,helvetica,sans-serif;font-size:small">   </span><span style="font-family:arial,helvetica,sans-serif;font-size:small"> </span><font face="arial, helvetica, sans-serif">sc.send_command("</font><span style="font-family:arial;font-size:small">pcap-file file_name.pcap test/")</span></div><div class="gmail_default"><span style="font-family:arial;font-size:small"><br></span></div><div class="gmail_default"><font face="arial">Some documentation exists on the wik about the commands that you can pass to send_command:</font></div><div class="gmail_default"><font face="arial"><br></font></div><div class="gmail_default"><font face="arial">   <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Interacting_via_Unix_Socket" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Interacting_via_Unix_Socket</a></font></div><div class="gmail_default"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Mon, Oct 27, 2014 at 1:51 PM, Versnel Diemen <span dir="ltr"><<a href="mailto:versneldiemen@gmail.com" target="_blank">versneldiemen@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Hallo there,<div><br></div><div>I'm currently writing a Python program which will send cmd to Suricatasc via the Unix Socket but i cannot get it working and also cannot find any good resource that can explain it to me.</div><div>Plz Help me.</div><div><br></div><div>This is the code that i have at the moment:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">def RunPcap():<br>        soc = "/var/run/suricata/suricata-command.socket"<br>        s = socket.socket(socket.AF_UNIX)<br>        s.connect(soc)<br>        s.send("pcap-file file_name.pcap test/")<br>        s.close<br>RunPcap()</blockquote></div></div>
<br></div></div>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><span><font color="#888888"><br></font></span></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Jason Jones</div><div>ASERT Security Research Analyst</div><div>PGP Key: 0x3CD1DDE</div></div>
</font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Jason Jones</div><div>ASERT Security Research Analyst</div><div>PGP Key: 0x3CD1DDE</div></div>
</div>
</div></div></blockquote></div><br></div>