[Oisf-users] Suricata Unix Socket

Jones, Jason jasonjones at arbor.net
Mon Oct 27 18:31:10 UTC 2014


Correct, place the path to your socket file in place of <socket file>, e.g.

    soc = "/var/run/suricata/suricata-command.socket"
    *sc = suricatasc.SuricataSC(soc)*

One thing to remember when sending commands is that the pcap-file-name and
output-dir should probably be absolute paths instead of relative paths
since the suricata socket doesn't have a concept of where you are
communicating with it from.

On Mon, Oct 27, 2014 at 2:07 PM, Versnel Diemen <versneldiemen at gmail.com>
wrote:

> Hi Jason,
>
> What do you mean with
> *sc = suricatasc.SuricataSC(<socket file>)*
>
> I get invalid syntax as error. Do i have to fill in something at  *(<socket
> file>)* ?
> Is "/var/run/suricata/suricata-*command.socket" *the socket file?
>
> On Mon, Oct 27, 2014 at 6:58 PM, Jones, Jason <jasonjones at arbor.net>
> wrote:
>
>> If you want to do full automated scripting you should use the suricatasc
>> module that should get installed with suricata
>>
>>     import suricatasc
>>     sc = suricatasc.SuricataSC(<socket file>)
>>     sc.connect()
>>     sc.send_command("pcap-file file_name.pcap test/")
>>
>> Some documentation exists on the wik about the commands that you can pass
>> to send_command:
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Interacting_via_Unix_Socket
>>
>>
>> On Mon, Oct 27, 2014 at 1:51 PM, Versnel Diemen <versneldiemen at gmail.com>
>> wrote:
>>
>>> Hallo there,
>>>
>>> I'm currently writing a Python program which will send cmd to Suricatasc
>>> via the Unix Socket but i cannot get it working and also cannot find any
>>> good resource that can explain it to me.
>>> Plz Help me.
>>>
>>> This is the code that i have at the moment:
>>>
>>> def RunPcap():
>>>>         soc = "/var/run/suricata/suricata-command.socket"
>>>>         s = socket.socket(socket.AF_UNIX)
>>>>         s.connect(soc)
>>>>         s.send("pcap-file file_name.pcap test/")
>>>>         s.close
>>>> RunPcap()
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Training now available: http://suricata-ids.org/training/
>>>
>>
>>
>>
>> --
>> Jason Jones
>> ASERT Security Research Analyst
>> PGP Key: 0x3CD1DDE
>>
>
>


-- 
Jason Jones
ASERT Security Research Analyst
PGP Key: 0x3CD1DDE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141027/797d0041/attachment-0002.html>


More information about the Oisf-users mailing list