[Snort-devel] IDMEF XML plugin for Snort

Dave Terrio mterrio at ...1981...
Wed May 14 09:39:21 EDT 2003


Hi I've been trying to get the IDMEF output plugin working with snort
- so I downloaded Snort 1.9 with the plugin enabled from
http://www.silicondefense.com/idwg/snort-idmef/
   To make a long story short, I'm trying to run on Mandrake 8.1 and am having
a lot of trouble.  Basically, all I want to do is write IDMEF alerts to a log
file - so, in the rules file (snort.conf), I added:

output idmef: $HOME_NET output=alert dtd=/path/ analyzerid=IDSONE
facility_default=file\idmef-messages.log

   This configuration (based on the example provided in the rles file) seems
different from the examples provided with version 0.2.2 of the plugin which
call for only the "logto", "dtd" and "analyzer_id" keys.  Anyways, I would
expect to see IDMEF alerts in /var/log/snort - but am only seeing  ASCII
alerts - should I be specifying a path somewhere for the IDMEF alerts?  Is
there something else I should be specifying?  Is there a way to write these
alerts to sockets?

Any help would be greatly appreciated,
-David





More information about the Snort-devel mailing list