[Snort-users] Cannot get IDMEF logs with Snort IDMEF Plugin
ausnz74 at ...14979...
Sat Sep 11 10:03:06 EDT 2010
I'm very new to Snort (never used an IDS before) and I'd like to use it
as a way to generate IDMEF alerts from PCAP files through the IDMEF
plugin, but so far I've had no luck.
Here is what I've done so far:
- downloaded and installed LibIDMEF 1.0.3 (successfully)
- downloaded Snort IDMEF Plugin 2.0.0beta3 and Snort 126.96.36.199 (that's
the version said to be working with the latest IDMEF plugin, according
to the plugin's README file)
- manually patched Snort's source files to install the IDMEF plugin
- installed Snort (successfully).
I can run Snort and it can read PCAP files, but I haven't been able to
make it generate IDMEF files from these PCAPs.
I've added the following line to my snort.conf:
output idmef: any output=log dtd=/usr/local/share/idmef-message.dtd
and this is the rule (myIdmefRule.rules) I've created to generate the
IDMEF files from all the traffic logged in the PCAP file:
alert tcp any any -> any any (sid: 111111111; idmef: default;)
However, when I run Snort (from root)
snort -vr myFile.pcap -c /etc/snort/rules/myIdmefRule.rules
everything I get is a file named 'alert', with some Snort-generated
alerts, and another one named snort.log.XXXXXXXXXX, both in
/var/log/snort/; there's no 'idmef.log' or IDMEF-like file.
Is there anything wrong I've done or am I missing something?
Like I said, I'm new to Snort and I'm not even sure whether the
PCAP-to-IDMEF conversion is possible...
Thanks in advance.
More information about the Snort-users