AW: [Snort-devel] IDMEF XML plugin for Snort
Sandro.Poppi at ...1204...
Wed May 14 23:11:08 EDT 2003
You can specify the path with
facility_default=file|/var/log/snort/idmef-messages.log. There's also an
option to use tcp for transfering alerts (didn't test it yet).
Be warned: I found some issues which cause IDMEF to SEGFAULT since I'm
currently working on extending the plugin to add IDXP support. If you're
interested in the patches I can send them to you (but this might take until
BTW, it also works with snort 2.0.0.
> Hi I've been trying to get the IDMEF output plugin working with snort
> - so I downloaded Snort 1.9 with the plugin enabled from
> To make a long story short, I'm trying to run on Mandrake
> 8.1 and am having
> a lot of trouble. Basically, all I want to do is write IDMEF
> alerts to a log
> file - so, in the rules file (snort.conf), I added:
> output idmef: $HOME_NET output=alert dtd=/path/ analyzerid=IDSONE
> This configuration (based on the example provided in the
> rles file) seems
> different from the examples provided with version 0.2.2 of
> the plugin which
> call for only the "logto", "dtd" and "analyzer_id" keys.
> Anyways, I would
> expect to see IDMEF alerts in /var/log/snort - but am only
> seeing ASCII
> alerts - should I be specifying a path somewhere for the
> IDMEF alerts? Is
> there something else I should be specifying? Is there a way
> to write these
> alerts to sockets?
> Any help would be greatly appreciated,
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux
> enterprise solutions
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel