AW: [Snort-users] IDMEF Plugin

Poppi, Sandro Sandro.Poppi at ...3316...
Wed May 21 23:43:04 EDT 2003


Hi Tim,
> 
> What is the current status of the IDMEF Plugin?

It's currently somewhere between mainained and unmaintained. This means: Joe
McAlerney, Silicon Defense, the original author has no time to maintain it
further, and I'm currently thinking of taking over maintenance since I'm
currently extending it to make use of IDXP for data transport for our
threatman project (http://sourceforge.net/projects/threatman). I already
found some issues in the plugin which resulted in segfaults and IDXP support
already works but is not tested thouroughly (still alpha).

> I noted that "--enable-idmef" is no longer a complile option 
> in version
> 2.0.0.  

It has been removed from 2.x But it still works if you add it to snort 2.x
(but not that stable that I would recommend it for production)

> Given this, after sorting through the various versions, I installed
> 1.9.0 from Silicon Defense which incorporates the IDMEF Plugin.  I
> installed all the requisite software:  idmef, xml2, ntp.  I 
> enabled the
> plugin and got no apparent errors upon loading Snort.  However, upon
> reception of traffic, Snort seg faults.  When I turn off the IDMEF
> Plugin, I don't get any seg faults.

I'll send you my patches this evening, so stay tuned ;)
 
> I also tried installing version 1.8.7.  However, as noted in 
> a previous
> post from Andrew Walther, I also get a libidmef not found error when I
> run Snort's ./configure.  
> 
> 
> Tim

Ciao,
Sandro




More information about the Snort-users mailing list