Hosting Provided By

[Snort-devel] IDMEF XML plugin for Snort

From: Dave Terrio <mterrio(at)waffle.cs.dal.ca>
Date: Wed May 14 2003 - 12:39:09 EDT

Hi I've been trying to get the IDMEF output plugin working with snort
- so I downloaded Snort 1.9 with the plugin enabled from
http://www.silicondefense.com/idwg/snort-idmef/

To make a long story short, I'm trying to run on Mandrake 8.1 and am having a lot of trouble. Basically, all I want to do is write IDMEF alerts to a log file - so, in the rules file (snort.conf), I added:

output idmef: $HOME_NET output=alert dtd=/path/ analyzerid=IDSONE facility_default=file\idmef-messages.log

This configuration (based on the example provided in the rles file) seems different from the examples provided with version 0.2.2 of the plugin which call for only the "logto", "dtd" and "analyzer_id" keys. Anyways, I would expect to see IDMEF alerts in /var/log/snort - but am only seeing ASCII alerts - should I be specifying a path somewhere for the IDMEF alerts? Is there something else I should be specifying? Is there a way to write these alerts to sockets?

Any help would be greatly appreciated,
-David

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed May 14 12:44:50 2003

This message: [ Message body ]
Next message: Martin Olsson: "[Snort-devel] New feature wanted - aid when designing rules"
Previous message: Michael Bell: "[Snort-devel] [Fwd: Re: [Snort-users] Bus error on sparc]"
Reply: Poppi, Sandro: "AW: [Snort-devel] IDMEF XML plugin for Snort"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT