AW: [Snort-devel] IDMEF XML plugin for Snort

Poppi, Sandro Sandro.Poppi at ...1204...
Wed May 14 23:11:08 EDT 2003


Hi Dave,

You can specify the path with
facility_default=file|/var/log/snort/idmef-messages.log. There's also an
option to use tcp for transfering alerts (didn't test it yet).

Be warned: I found some issues which cause IDMEF to SEGFAULT since I'm
currently working on extending the plugin to add IDXP support. If you're
interested in the patches I can send them to you (but this might take until
next week).

BTW, it also works with snort 2.0.0.

HTH,
Sandro 
> 
> Hi I've been trying to get the IDMEF output plugin working with snort
> - so I downloaded Snort 1.9 with the plugin enabled from
> http://www.silicondefense.com/idwg/snort-idmef/
>    To make a long story short, I'm trying to run on Mandrake 
> 8.1 and am having
> a lot of trouble.  Basically, all I want to do is write IDMEF 
> alerts to a log
> file - so, in the rules file (snort.conf), I added:
> 
> output idmef: $HOME_NET output=alert dtd=/path/ analyzerid=IDSONE
> facility_default=file\idmef-messages.log
> 
>    This configuration (based on the example provided in the 
> rles file) seems
> different from the examples provided with version 0.2.2 of 
> the plugin which
> call for only the "logto", "dtd" and "analyzer_id" keys.  
> Anyways, I would
> expect to see IDMEF alerts in /var/log/snort - but am only 
> seeing  ASCII
> alerts - should I be specifying a path somewhere for the 
> IDMEF alerts?  Is
> there something else I should be specifying?  Is there a way 
> to write these
> alerts to sockets?
> 
> Any help would be greatly appreciated,
> -David
> 
> 
> 
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux 
> enterprise solutions
> www.enterpriselinuxforum.com
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list