[Snort-users] Problems with XML Plug-in

Dave Schwinn Schwinn.David at ...617...
Fri Apr 6 07:22:49 EDT 2001


I'm experimenting with the XML output plug-in in Snort 1.7 Win32 and am
having a couple of problems. 

I have been successful in getting the plug-in to output to a file. However,
the data is always truncated, literally chopped off mid-element. Therefor
the document is invalid XML. This behavior is consistent, in fact, I'm not
sure I've ever gotten complete results.

Second, the first line of the document, <?xml version="1.0"
encoding="UTF-8">, seems to be invalid syntax. Shouldn't it be <?xml
version="1.0" encoding="UTF-8"?>

Third, I'm having a difficult time finding definitive info about the
<!DOCTYPE> tag but I'm not sure it's right. IE 5.5 chokes on this line.

Any help or suggestions you could provide would be greatly appreciated!!!

Thanks,

Dave Schwinn
Full Service Networking

#########################

Version: Snort 1.7 Win32
Configuration file syntax: output xml: alert, file=xml detail=fast

Example of output:

<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE snort-message-version-0.1 PUBLIC>

<file>

<event version="1.0">
<sensor encoding="hex" detail="fast">
<interface>\</interface>
<ipaddr version="4">0.0.0.0</ipaddr>
<hostname>DAVESLAPTOP</hostname>
</sensor>
<signature>BETA - Some lamer just sent you an ICMP Echo Request with no
data</signature>
<timestamp>2001-04-05 15:52:00+00</timestamp>
<packet>
<iphdr saddr="10.112.201.178" daddr="10.112.201.65" proto="1">
<icmphdr type="8" code="0"/>
</iphdr>
</packet>
</event>

<event version="1.0">
<sensor e         <----- truncated here!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010406/3b5499f1/attachment.html>


More information about the Snort-users mailing list