[Snort-users] Cannot get IDMEF logs with Snort IDMEF Plugin

KjetilR ausnz74 at ...14979...
Sat Sep 11 10:03:06 EDT 2010

I'm very new to Snort (never used an IDS before) and I'd like to use it 
as a way to generate IDMEF alerts from PCAP files through the IDMEF 
plugin, but so far I've had no luck.

Here is what I've done so far:
- downloaded and installed LibIDMEF 1.0.3 (successfully)
- downloaded Snort IDMEF Plugin 2.0.0beta3 and Snort (that's 
the version said to be working with the latest IDMEF plugin, according 
to the plugin's README file)
- manually patched Snort's source files to install the IDMEF plugin 
- installed Snort (successfully).

I can run Snort and it can read PCAP files, but I haven't been able to 
make it generate IDMEF files from these PCAPs.

I've added the following line to my snort.conf:
output idmef: any output=log dtd=/usr/local/share/idmef-message.dtd 
analyzerid=IDS1 facility_default=file|/var/log/snort/idmef.log 

and this is the rule (myIdmefRule.rules) I've created to generate the 
IDMEF files from all the traffic logged in the PCAP file:
alert tcp any any -> any any (sid: 111111111; idmef: default;)

However, when I run Snort (from root)
snort -vr myFile.pcap -c /etc/snort/rules/myIdmefRule.rules

everything I get is a file named 'alert', with some Snort-generated 
alerts, and another one named snort.log.XXXXXXXXXX, both in 
/var/log/snort/; there's no 'idmef.log' or IDMEF-like file.

Is there anything wrong I've done or am I missing something?
Like I said, I'm new to Snort and I'm not even sure whether the 
PCAP-to-IDMEF conversion is possible...

Thanks in advance.



More information about the Snort-users mailing list