[Snort-devel] TODO for Snort

John Zeng johnz at ...343...
Mon Apr 23 18:01:13 EDT 2001

Hi, Joe,

Here is what I understood so far:

1. The current IDMEF XML plug in support file only.
2. You are going to support BEEP in your next step.

I am building a servlet to receive IDMEF XML alert.  So, I want to receive
XML through HTTP.  My question is:

1. Are you going to support HTTP/HTTPS too?  
2. If you support BEEP, does this mean that HTTP is supported automatically?

I think supporting HTTP is easier than supporting BEEP.  So, why don't you
support HTTP before BEEP.  This meets your goal which is to minimize the
time between releases.


-----Original Message-----
From: Joe McAlerney [mailto:joey at ...60...]
Sent: Tuesday, April 17, 2001 9:39 AM
To: Bart van Kuik
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] TODO for Snort

Hello Bart,

Bart van Kuik wrote:
> I was wondering what Snort needs right now because I might have some free
time (two months) to play around with the code. So I tried to think of some
thinks in general:
> - A way to export alerts using the libidmef library (this is the
implementation of the IETF's drafts for an inter-IDS library (I think))

Hello Bart,

The IDMEF XML plugin was developed to do this.  It is available in the
contrib directory of Snort-1.7 or greater.  The plugin uses libidmef to
construct IDMEF messages.  I am in the process of updating libidmef to
conform to the latest specification (draft-ietf-idwg-idmef-xml-03.txt). 
Once that is finished, I will update the IDMEF XML plugin as well.  I'm
shooting for early May to release the next version of libidmef.  The
next version of the IDMEF XML plugin should be finished shortly after,
if not the same time.

Currently, the IDMEF XML plugin only output to a file.  I will be
incorporating in the BEEP transport protocol to allow the plugin to send
IDMEF messages to a remote location.  I suspect this will be done using
an existing BEEP implementation.  As of right now, the next IDMEF XML
plugin will be released in two stages; BEEP-less and BEEP-able.  My goal
is to minimize the time between those releases.

Information on IDMEF, libidmef and the IDMEF XML plugin is available at:


Please feel free to contact me if you have questions, comments, or


-Joe M.

|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list