Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Cannot get IDMEF logs with Snort IDMEF Plugin

From: KjetilR <ausnz74 () aim com>
Date: Sat, 11 Sep 2010 10:03:06 -0400
Hi,
I'm very new to Snort (never used an IDS before) and I'd like to use it 
as a way to generate IDMEF alerts from PCAP files through the IDMEF 
plugin, but so far I've had no luck.

Here is what I've done so far:
- downloaded and installed LibIDMEF 1.0.3 (successfully)
- downloaded Snort IDMEF Plugin 2.0.0beta3 and Snort 2.8.3.2 (that's 
the version said to be working with the latest IDMEF plugin, according 
to the plugin's README file)
- manually patched Snort's source files to install the IDMEF plugin 
(successfully)
- installed Snort (successfully).

I can run Snort and it can read PCAP files, but I haven't been able to 
make it generate IDMEF files from these PCAPs.

I've added the following line to my snort.conf:
output idmef: any output=log dtd=/usr/local/share/idmef-message.dtd 
analyzerid=IDS1 facility_default=file|/var/log/snort/idmef.log 
indent=true

and this is the rule (myIdmefRule.rules) I've created to generate the 
IDMEF files from all the traffic logged in the PCAP file:
alert tcp any any -> any any (sid: 111111111; idmef: default;)

However, when I run Snort (from root)
snort -vr myFile.pcap -c /etc/snort/rules/myIdmefRule.rules

everything I get is a file named 'alert', with some Snort-generated 
alerts, and another one named snort.log.XXXXXXXXXX, both in 
/var/log/snort/; there's no 'idmef.log' or IDMEF-like file.

Is there anything wrong I've done or am I missing something?
Like I said, I'm new to Snort and I'm not even sure whether the 
PCAP-to-IDMEF conversion is possible...

Thanks in advance.

Regards,

Kjetil

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: