[Snort-users] IDMEF and FreeBSD 4.x

Joe McAlerney joey at ...47...
Tue Nov 13 17:13:11 EST 2001


Rob,

That's a great idea.  Attached is the README.IDMEF file.  This should
prevent further confusion.

Happy Snorting!

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...47...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

"Robert D. Hughes" wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thanks! I've been banging my head on this for a couple of weeks now.
> Just to save other poor, stupid, souls like myself from this, can we can
> get a README.IDMEF or something added to the distribution?
> 
> Thanks,
> Rob
> 
> - -----Original Message-----
> From: Joe McAlerney [mailto:joey at ...47...]
> Sent: Monday, November 12, 2001 4:16 PM
> To: Robert D. Hughes
> Cc: Snort-users (E-mail)
> Subject: Re: [Snort-users] IDMEF and FreeBSD 4.x
> 
> Hello Robert,
> 
> The libntp libraries are available from www.ntp.org.  Documentation for
> libidmef, and the IDMEF XML plugin are available on our site.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
> 
> iQA/AwUBO/EiiOa2P6TrxG1EEQLe/ACeNPMl07ci00HEWbeqL/X/aEaeoJAAnj9e
> UOCzWLNnRKeba4QAFLv+1N/n
> =VXeq
> -----END PGP SIGNATURE-----
> 
>   ------------------------------------------------------------------------
>                          Name: PGPexch.htm.asc
>    PGPexch.htm.asc       Type: unspecified type (application/octet-stream)
>                      Encoding: base64
>                   Description: PGPexch.htm.asc
-------------- next part --------------
IDMEF XML output plugin for Snort, version 0.2.2

Purpose: ----------------------------------------

  This plugin converts Snort alerts into Intrusion Detection Message Exchange
  Format (IDMEF) XML messages.  IDMEF was created by the IDWG working group, a
  part of the IETF.  For more information on IDMEF, visit 
  http://www.silicondefense.com/idwg/libidmef/

Usage: ------------------------------------------

  To use this plugin, you must compile it into Snort (see INSTALL.idmef), and
  activate it in the Snort configuration file. Arguments to the plugin are
  specified in the "Arguments" section below. You must also specify which
  rules you wish to generate IDMEF XML messages for. This is done by adding
  the keyword "idmef", followed by the alert type, to a rule.  Current valid
  alert types are "web", "overflow", and "default". This will allow you to
  specify different output format types for each type of alert.

  Some example rules are:

    alert TCP any any -> any 27665 (msg: "IDS196/trin00-attacker-to-master"; flags: AP; content: "betaalmostdone"; idmef: default;)

    alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS434/web-iis-unicode-traversal-backslash"; flags: AP; content: "..|25|c1|25|9c"; nocase; idmef: web;)

  In reality, the alert type is not that important.  It was added to allow for
  further differentiation of alerts in the future.  As IDMEF changes, it may
  be convient to build different types of IDMEF messages, and do different
  things with them.

  IDMEF messages are logged to a user-specified file.  The next version of this
  plugin will allow IDMEF messages to be transported over IAP.

Arguments: --------------------------------------

  Activate the IDMEF XML plugin by adding "idmef" to your Snort
  configuration file, followed by an argument list.

  idmef: $HOME_NET key1=value1 key2=value2 key3=value3 ...

  NOTE: Values may not have spaces in them.  For values like "location",
        use underscores.  i.e., location=Client_1_Network
 
  $HOME_NET is in the format: <dotted ip address>/<netmask>
                              i.e., 123.234.123.0/24

-= The required keys and their associated values are: =-

     logto       - The location of the file to log the IDMEF XML alerts to.

     dtd         - The location of the IDMEF XML dtd file.

     analyzer_id - A unique identifier of this IDS.

-= The optional key's and their associated values are: =-

              -=- Analyzer specific keys and values -=-

     category - The domain type that this Analyzer is in. The posible 
                values are:
                
                unknown - No relevant domain. Default value
                ads - Windows 2000 ADS
                afs - Andrew File System
                coda - CODA distributed file system
                dfs - DFS distributed file system
                dns - Domain Name System
                kerberos - Kerberos realm
                nds - Novel Netware
                nis - Network Information Service (Yellow Pages)
                nisplus - Network Informations Service Plus
                nt - Windows NT domain
                wfw - Windows for Workgroups

     name     - The fully qualified domain name of this IDS equipment.
 
     location - The physical location of this IDS.

     address  - The network address of this IDS.
 
     netmask  - the netmask of the address, if appropriate.
  
     address_cat - The type (category) of address provided. The possible
                   values are:

                   unknown - Type not unknown.  Default value
                   atm - Asynchronous Transfer Mode network address
                   e-mail - Internet electronic mail address (RFC822)
                   lotus-notes - Lotus Notes address
                   mac - Media Access Control (MAC) address
                   sna - IBM Shared Network Architecture (SNA) address
                   vm - IBM "VM" (PROFS) electronic mail address
                   ipv4-addr - IPv4 host address in dotted-decimal notation
                               (aaa.bbb.ccc.ddd)
                   ipv4-addr-hex - IPv4 host address in hexadecimal
                   ipv4-net - IPv4 network address in dotted-decimal
                              notation, slash, significant bits
                              (aaa.bbb.ccc.ddd/nn)
                   ipv4-net-mask - IPv4 network address and associated
                                   network mask
                   ipv6-addr - IPv6 host address
                   ipv6-net - IPv6 network address
                   ipv6-net-mask - IPv6 network address and associated
                                   network mask

              -=- HOMENET specific keys and values -=-

     homenet_cat - The domain type that the home network is in. The posible 
                   values are the same as the Analyzer's "category" above.

     homenet_loc - The physical location of the home network

              -=- Alert specific keys and values -=-

     default  - The "default" IDMEF message type rule option.  The
                following value options configure the way these types of
                alerts are handled.

                disable - disables the "default" IDMEF message type

                hex     - prints the packet payload for "default" 
                          IDMEF message types in hex

                ascii   - prints the packet payload for "default"
                          IDMEF message types in ascii

                base64  - prints the packet payload for "default"
                          IDMEF message types in base64

     web      - The "web" IDMEF message type rule option.  The
                following value options configure the way these types of
                alerts are handled.

                disable - disables the "web" IDMEF message type

                hex     - prints the packet payload for "web" IDMEF
                          message types in hex

                ascii   - prints the packet payload for "web" IDMEF
                          message types in ascii

                base64  - prints the packet payload for "web" IDMEF
                          message types in base64

     overflow - The "overflow" IDMEF message type rule option.  The
                following value options configure the way these types of
                alerts are handled.

                disable - disables the "overflow" IDMEF message type

                hex     - prints the packet payload for "overflow"
                          IDMEF message types in hex

                ascii   - prints the packet payload for "overflow"
                          IDMEF message types in ascii

                base64  - prints the packet payload for "overflow"
                          IDMEF message types in base64

     indent   - Specifies whether the XML message should be indented.
                Keep in mind that whitespace is signifigant in XML.
                The default value is false.  Possible value:
      
                true    - yep, indent the XML alert

     alert_id - Path and filename to the file containing the next alert id
                number, or the place to put alert id numbers if this is the
                first time this plugin has ran.
                (defaults to /var/log/alert_id_number)


Configuration Examples: ------------------------

  In your Snort configuration file, you must activate the IDMEF XML plugin,
  and pass it arguments.

  output idmef: 123.234.123.0/24 logto=/var/log/snort/idmef_alerts.log analyzer_id=IDS1 dtd=/path/to/idmef-message.dtd

  output idmef: 123.234.123.0/24 logto=/var/log/snort/idmef_alerts.log analyzer_id=IDS1 dtd=/path/to/idmef-message.dtd category=dns location=San_Francisco_network address=123.234.123.55 address_cat=ipv4-addr web=ascii default=hex homenet_loc=San_Francisco_network homenet_cat=dns

Additional Notes: ------------------------------

- I created a crude script (append_idmef.pl) that adds the "idmef" keyword,
  and an alert type to each rule in a rule set.  Unless the rule contains some
  form of content indicating that it is a web-based rule, the alert type
  assigned will be "default".

- The IDMEF XML plugin can utilize the reference plugin to associate alerts
  with different identification systems, such as Bugtraq, arachNIDS, and CVE.
  If a "reference" keyword and value is specified in a rule, the IDMEF XML
  plugin will include the information in a Classification element of the alert.

  For example,

  alert TCP any any -> any 80 (msg: "IDS200/web-iis_encoding"; flags: AP; content: "|25 31 75|"; reference: arachNIDS,IDS200; reference: cve,CVE-2000-0024; idmef: web;)

  will produce an IDMEF Message with the following Classifications:

  ...

  <Classification origin="vendor-specific">
     <name>IDS200/web-iis_encoding</name>
     <url>http://www.whitehats.com/info/IDS200</url>
  </Classification>
  <Classification origin="cve">
     <name>IDS200/web-iis_encoding</name>
     <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0024</url>
  </Classification>

  ...

Output Example: ------------------------------

  The following is a Snort rule and a sample IDMEF XML message produced.
  It has been indented using the "indent=true" argument for readability
  sake.

  alert TCP any any -> any 80 (msg: "IDS297/http-directory-traversal1"; flags: AP; content: "../"; reference: arachNIDS,IDS297; idmef: default;)

<IDMEF-Message version="0.1">
  <Alert alertid="329440" impact="unknown" version="1">
    <Time>
      <ntpstamp>0x3a2d8b3a.0x0</ntpstamp>
      <date>2000-12-05</date>
      <time>16:41:30</time>
    </Time>
    <Analyzer ident="IDS1">
      <Node category="dns">
        <location>San_Francisco_Network</location>
        <name>supersnort</name>
        <Address category="ipv4-addr">
          <address>123.234.123.12</address>
        </Address>
      </Node>
    </Analyzer>
    <Classification origin="vendor-specific">
      <name>IDS297/http-directory-traversal1</name>
      <url>http://www.whitehats.com/info/IDS297</url>
    </Classification>
    <Source spoofed="unknown">
      <Node>
        <Address category="ipv4-addr">
          <address>222.222.111.11</address>
        </Address>
      </Node>
    </Source>
    <Target decoy="unknown">
      <Node category="dns">
        <location>San_Francisco_Network</location>
        <Address category="ipv4-addr">
          <address>123.234.123.7</address>
        </Address>
      </Node>
      <Service ident="0">
        <dport>80</dport>
        <sport>1397</sport>
      </Service>
    </Target>
    <AdditionalData meaning="Packet Payload" type="string">GET ../../stuff/I/shouldnt/be/seeing</AdditionalData>
  </Alert>
</IDMEF-Message>

TODO: ----------------------------------------

- Add BEEP (IDXP) transport support.

- Add more information to IDMEF messages when Snort's output plugins gain
  additional access to information gathered and produced by input plugins.

FAQ: -----------------------------------------

Q: When I try to run Snort's configure script, I get errors.

A1: Make sure you followed the directions in INSTALL.idmef, and pasted the
    information into configure.in corretly.  Also, make sure you ran autoconf.

A2: Make sure libxml2, libntp, and libidmef are all installed.  See
    INSTALL.idmef for information on how to get those libraries.  Also,
    make sure the script can find those libraries.  You may have to use
    additional configure options (as described in INSTALL.idmef) to point
    the script to the library and header file locations.

A3: You may need to run "ldconfig /usr/local/lib", delete config.cache in the
    snort source directory, run configure again.  I have found this to happen 
    on OpenBSD.

Q: I can configure Snort, but I get errors when trying to compile it.

A1: Be sure you are using libxml2, and not libxml1.  Check your /usr/local/lib
    or /usr/lib directories to make sure the links are pointed to libxml2.

A2: Did you use the --enable-idmef tag when your ran configure? (This one
    still gets me... go figure).

TESTED PLATFORMS: ---------------------------

+ Red Hat 6.1, 7.0
+ Debian 2.2 running Linux 2.4.2
+ OpenBSD 2.6, 2.8
+ FreeBSD 4.2

Contact: -------------------------------------

  Please feel free to send me questions and comments.

  Joe McAlerney
  Silicon Defense
  joey at ...155...
  http://www.silicondefense.com


More information about the Snort-users mailing list