[Snort-devel] xml format samples

Mike Andersen mike.andersen at ...139...
Wed Feb 7 12:41:04 EST 2001


[Todd Lewis]
| 
| Here are some samples of what an XMLified rule file might look like:

Nice, but I would like to have more information in the rule (see the
example I've included).

| 	<bcontent>88042020202020202020202020202020</bcontent>

It might be an advantage to add information about which encoding that is
used for the binary content.  Something like:

   <content encoding="blah">88042020202020202020202020202020</content>


Here is an example that we are using internally (we are also planning to
make snort XML aware):

<?xml version="1.0"?>
<rule> 
  <header> 
    <id> 
      <cve>CVE-1999-0183</cve> 
      <ids>IDS137</ids> 
    </id> 
    <title>TFTP parent directory</title> 
    <serialnumber>2001020701</serialnumber> 
    <comments> 
       This event indicates a tftp request for an file outside of
       designated tftp directory (..).  tftp does not use
       authentication, and early versions of the daemon allowed
       retrieval of any file on the server.
    </comments> 
    <origin>http://www.whitehats.com/info/IDS137</origin> 
    <author> 
      <name>Max Vision</name> 
    </author> 
  </header> 
  <logic> 
    <and> 
      <protocol>udp</protocol> 
      <source> 
        <address>&EXTERNAL;</address> 
      </source> 
      <destination> 
        <address>&INTERNAL;</address>  
        <port>69</port> 
      </destination> 
      <content>..</content> 
      <direction>inbound</direction> 
    </and> 
  </logic> 
  <handling> 
    <facility>snort</facility> 
    <severity>low</severity> 
  </handling> 
</rule>


mike
-- 
Tact is the ability to tell a man he has an open mind when he has a
hole in his head.





More information about the Snort-devel mailing list