[Snort-users] Incorrect content-type header in XML output module?

patrick.n.fitzgerald.1 pfitzge1 at ...301...
Tue May 29 20:41:48 EDT 2001


To the snort developers,

First off, let me say just how great Snort is. Snort is just great. It is
swell and happy and fun. To be honest, I feel ashamed to be complaining
about it because otherwise it's just great. But there's one little picky
detail that's gotten under my skin lately.

I've been using the XML output module and experimenting with pulling the
data into PHP via the http protocol. The XML output module for snort 1.7
provides a "Content-type: multipart/form-data" header to the http server,
but then dumps the alert in XML format. This creates a problem when the
PHP server tries to parse the data in name/value pairs but doesn't find
anything resembling the multipart/form-data content type it was promised.

By patching the spo_xml.h file (defining CONTENT_TYPE to be anything
other than multipart/form-data) I am able to use PHP to directly parse
the XML alerts. I would like to suggest that instead of using the
incorrect content type as is currently done, the default Content-type be
changed to text/xml or something similar to more correctly represent the
actual type of content being sent.

This would help myself and anyone else wanting to integrate the XML module
into a PHP environment. The project I'm working on now (the Cerias
Incident Response Database https://www.cerias.purdue.edu/irdb/ ) is heavily
based on PHP. Our users are pushing for snort support, and we would like
to be able to support it "out of the box". As it stands, anyone who wants
to use PHP to parse the XML alerts coming via http would have to modify
snort.

Thanks in advance,
Patrick F.

--
"BUGS
     Flood pinging the broadcast address is not recommended." -- ping(1)





More information about the Snort-users mailing list