[Snort-users] Incorrect content-type header in XML output module?

roman at ...438... roman at ...438...
Fri Jun 1 15:02:26 EDT 2001


The "multipart/form-data" was an artifact of the code which
was used to parse this HTTPS stream.  However, you are
correct.  The Content-Type should more appropriately read

CVS write-access developers: Please commit this attached patch

[CVS message: update the Content-Type of the HTTP
header to "text/xml" to properly reflect that Snort is sending


> To the snort developers,
> First off, let me say just how great Snort is. Snort is just great. It is
> swell and happy and fun. To be honest, I feel ashamed to be complaining
> about it because otherwise it's just great. But there's one little picky
> detail that's gotten under my skin lately.
> I've been using the XML output module and experimenting with pulling the
> data into PHP via the http protocol. The XML output module for snort 1.7
> provides a "Content-type: multipart/form-data" header to the http server,
> but then dumps the alert in XML format. This creates a problem when the
> PHP server tries to parse the data in name/value pairs but doesn't find
> anything resembling the multipart/form-data content type it was promised.
> By patching the spo_xml.h file (defining CONTENT_TYPE to be anything
> other than multipart/form-data) I am able to use PHP to directly parse
> the XML alerts. I would like to suggest that instead of using the
> incorrect content type as is currently done, the default Content-type be
> changed to text/xml or something similar to more correctly represent the
> actual type of content being sent.
> This would help myself and anyone else wanting to integrate the XML module
> into a PHP environment. The project I'm working on now (the Cerias
> Incident Response Database https://www.cerias.purdue.edu/irdb/ ) is heavily
> based on PHP. Our users are pushing for snort support, and we would like
> to be able to support it "out of the box". As it stands, anyone who wants
> to use PHP to parse the XML alerts coming via http would have to modify
> snort.
> Thanks in advance,
> Patrick F.
> --
>      Flood pinging the broadcast address is not recommended." -- ping(1)
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message was sent using Voicenet WebMail.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: spo_xml.h.patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010601/5a8ecace/attachment.ksh>

More information about the Snort-users mailing list