AW: [Snort-users] About IDMEF XML

Poppi, Sandro Sandro.Poppi at ...3316...
Sun Apr 13 23:11:09 EDT 2003


Hi lucy,

ran into the same prob (IDMEF(): not an IDMEF rule, returning), but
re-reading README.idmef solved it: For each rule you have to add something
like
 idmef:default;
so the idmef plugin is used, e.g.

alert icmp any any -> any any (msg:"Test";idmef:default;)

About the segfault I'm currently investigating what's happening. Try using
ElectricFence (which is shipped with my RedHat installation) and link snort
against it, this might show you some more info (btw, I'm running snort
2.0.0rc4 with idmef plugin).

HTH,
Sandro

> Hi,
>   I run snort(snort-1.9.0-idmef-1.1) in debug state
> and get some messages:
>  IDMEF: IDMEF output facility = alert
>  IDMEF: IDMEF XML dtd = idmef-message.dtd
>  IDMEF: IDMEF analyzerid = IDS1
>  IDMEF: Indented output: true
>  IDMEF: IDS alert_id file = /var/log/alert_id_num
>  IDMEF: Done parsing args
>  getStoredAlertID: Stored alert ID not found in
> /var/log/alert_id_num, continuing with alert ID = 1
>  idmef: No stored alert id.  Continuing with alert id
> = 1
> !!!!!!!1334 Snort rules read...
> 1334 Option Chains linked into 147 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Rule application order:
> ->activation->dynamic->alert->pass->log
> 
>         --== Initialization Complete ==--
> 
> -*> Snort! <*-
> Version 1.9.0 (Build 209)
> By Martin Roesch (roesch at ...1935...,
> www.snort.org)
> IDMEF(): Unknown caller type, returning
> IDMEF(): Unknown caller type, returning
> IDMEF(): not an IDMEF rule, returning
> IDMEF(): not an IDMEF rule, returning
> IDMEF(): not an IDMEF rule, returning
> IDMEF(): not an IDMEF rule, returning
> IDMEF(): not an IDMEF rule, returning
> IDMEF(): not an IDMEF rule, returning
> Segmentation fault
>   Now alert_id_number is more(in /var/log),while
> alert_id_num is empty. idmef-messages.log is empty
> too.
>   What wrong with me ?
>   BTW,configure snort with option --enable-idmef
> --enable-debug --with-libxml2-includes=dir1
> --with-libidmef-includes=dir2
> --with-libntp-libraries=dir3
>       configure libidmef with option --enable-debug
> --with-libxml2-includes=dir1
>       rules are modified by append_idmef.pl(provided
> by idmef-xml-plugin-0.2.2.tar.gz).
>      Any reply is welcome and appreciated.
> 
> Lucy
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online, calculators, forms, and more
> http://tax.yahoo.com
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of 
> TotalView, The debugger 
> for complex code. Debugging C/C++ programs can leave you 
> feeling lost and 
> disoriented. TotalView can help you find your way. Available 
> on major UNIX 
> and Linux platforms. Try it free. www.etnus.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list