Snort mailing list archives
Re: IDMEF and FreeBSD 4.x
From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 13 Nov 2001 18:13:42 -0800
Rob, That's a great idea. Attached is the README.IDMEF file. This should prevent further confusion. Happy Snorting! -Joe M. -- Joe McAlerney Software Developer / Security Consultant joey () SiliconDefense com Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/ "Robert D. Hughes" wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks! I've been banging my head on this for a couple of weeks now. Just to save other poor, stupid, souls like myself from this, can we can get a README.IDMEF or something added to the distribution? Thanks, Rob - -----Original Message----- From: Joe McAlerney [mailto:joey () SiliconDefense com] Sent: Monday, November 12, 2001 4:16 PM To: Robert D. Hughes Cc: Snort-users (E-mail) Subject: Re: [Snort-users] IDMEF and FreeBSD 4.x Hello Robert, The libntp libraries are available from www.ntp.org. Documentation for libidmef, and the IDMEF XML plugin are available on our site. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBO/EiiOa2P6TrxG1EEQLe/ACeNPMl07ci00HEWbeqL/X/aEaeoJAAnj9e UOCzWLNnRKeba4QAFLv+1N/n =VXeq -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Name: PGPexch.htm.asc PGPexch.htm.asc Type: unspecified type (application/octet-stream) Encoding: base64 Description: PGPexch.htm.asc
IDMEF XML output plugin for Snort, version 0.2.2 Purpose: ---------------------------------------- This plugin converts Snort alerts into Intrusion Detection Message Exchange Format (IDMEF) XML messages. IDMEF was created by the IDWG working group, a part of the IETF. For more information on IDMEF, visit http://www.silicondefense.com/idwg/libidmef/ Usage: ------------------------------------------ To use this plugin, you must compile it into Snort (see INSTALL.idmef), and activate it in the Snort configuration file. Arguments to the plugin are specified in the "Arguments" section below. You must also specify which rules you wish to generate IDMEF XML messages for. This is done by adding the keyword "idmef", followed by the alert type, to a rule. Current valid alert types are "web", "overflow", and "default". This will allow you to specify different output format types for each type of alert. Some example rules are: alert TCP any any -> any 27665 (msg: "IDS196/trin00-attacker-to-master"; flags: AP; content: "betaalmostdone"; idmef: default;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS434/web-iis-unicode-traversal-backslash"; flags: AP; content: "..|25|c1|25|9c"; nocase; idmef: web;) In reality, the alert type is not that important. It was added to allow for further differentiation of alerts in the future. As IDMEF changes, it may be convient to build different types of IDMEF messages, and do different things with them. IDMEF messages are logged to a user-specified file. The next version of this plugin will allow IDMEF messages to be transported over IAP. Arguments: -------------------------------------- Activate the IDMEF XML plugin by adding "idmef" to your Snort configuration file, followed by an argument list. idmef: $HOME_NET key1=value1 key2=value2 key3=value3 ... NOTE: Values may not have spaces in them. For values like "location", use underscores. i.e., location=Client_1_Network $HOME_NET is in the format: <dotted ip address>/<netmask> i.e., 123.234.123.0/24 -= The required keys and their associated values are: =- logto - The location of the file to log the IDMEF XML alerts to. dtd - The location of the IDMEF XML dtd file. analyzer_id - A unique identifier of this IDS. -= The optional key's and their associated values are: =- -=- Analyzer specific keys and values -=- category - The domain type that this Analyzer is in. The posible values are: unknown - No relevant domain. Default value ads - Windows 2000 ADS afs - Andrew File System coda - CODA distributed file system dfs - DFS distributed file system dns - Domain Name System kerberos - Kerberos realm nds - Novel Netware nis - Network Information Service (Yellow Pages) nisplus - Network Informations Service Plus nt - Windows NT domain wfw - Windows for Workgroups name - The fully qualified domain name of this IDS equipment. location - The physical location of this IDS. address - The network address of this IDS. netmask - the netmask of the address, if appropriate. address_cat - The type (category) of address provided. The possible values are: unknown - Type not unknown. Default value atm - Asynchronous Transfer Mode network address e-mail - Internet electronic mail address (RFC822) lotus-notes - Lotus Notes address mac - Media Access Control (MAC) address sna - IBM Shared Network Architecture (SNA) address vm - IBM "VM" (PROFS) electronic mail address ipv4-addr - IPv4 host address in dotted-decimal notation (aaa.bbb.ccc.ddd) ipv4-addr-hex - IPv4 host address in hexadecimal ipv4-net - IPv4 network address in dotted-decimal notation, slash, significant bits (aaa.bbb.ccc.ddd/nn) ipv4-net-mask - IPv4 network address and associated network mask ipv6-addr - IPv6 host address ipv6-net - IPv6 network address ipv6-net-mask - IPv6 network address and associated network mask -=- HOMENET specific keys and values -=- homenet_cat - The domain type that the home network is in. The posible values are the same as the Analyzer's "category" above. homenet_loc - The physical location of the home network -=- Alert specific keys and values -=- default - The "default" IDMEF message type rule option. The following value options configure the way these types of alerts are handled. disable - disables the "default" IDMEF message type hex - prints the packet payload for "default" IDMEF message types in hex ascii - prints the packet payload for "default" IDMEF message types in ascii base64 - prints the packet payload for "default" IDMEF message types in base64 web - The "web" IDMEF message type rule option. The following value options configure the way these types of alerts are handled. disable - disables the "web" IDMEF message type hex - prints the packet payload for "web" IDMEF message types in hex ascii - prints the packet payload for "web" IDMEF message types in ascii base64 - prints the packet payload for "web" IDMEF message types in base64 overflow - The "overflow" IDMEF message type rule option. The following value options configure the way these types of alerts are handled. disable - disables the "overflow" IDMEF message type hex - prints the packet payload for "overflow" IDMEF message types in hex ascii - prints the packet payload for "overflow" IDMEF message types in ascii base64 - prints the packet payload for "overflow" IDMEF message types in base64 indent - Specifies whether the XML message should be indented. Keep in mind that whitespace is signifigant in XML. The default value is false. Possible value: true - yep, indent the XML alert alert_id - Path and filename to the file containing the next alert id number, or the place to put alert id numbers if this is the first time this plugin has ran. (defaults to /var/log/alert_id_number) Configuration Examples: ------------------------ In your Snort configuration file, you must activate the IDMEF XML plugin, and pass it arguments. output idmef: 123.234.123.0/24 logto=/var/log/snort/idmef_alerts.log analyzer_id=IDS1 dtd=/path/to/idmef-message.dtd output idmef: 123.234.123.0/24 logto=/var/log/snort/idmef_alerts.log analyzer_id=IDS1 dtd=/path/to/idmef-message.dtd category=dns location=San_Francisco_network address=123.234.123.55 address_cat=ipv4-addr web=ascii default=hex homenet_loc=San_Francisco_network homenet_cat=dns Additional Notes: ------------------------------ - I created a crude script (append_idmef.pl) that adds the "idmef" keyword, and an alert type to each rule in a rule set. Unless the rule contains some form of content indicating that it is a web-based rule, the alert type assigned will be "default". - The IDMEF XML plugin can utilize the reference plugin to associate alerts with different identification systems, such as Bugtraq, arachNIDS, and CVE. If a "reference" keyword and value is specified in a rule, the IDMEF XML plugin will include the information in a Classification element of the alert. For example, alert TCP any any -> any 80 (msg: "IDS200/web-iis_encoding"; flags: AP; content: "|25 31 75|"; reference: arachNIDS,IDS200; reference: cve,CVE-2000-0024; idmef: web;) will produce an IDMEF Message with the following Classifications: ... <Classification origin="vendor-specific"> <name>IDS200/web-iis_encoding</name> <url>http://www.whitehats.com/info/IDS200</url> </Classification> <Classification origin="cve"> <name>IDS200/web-iis_encoding</name> <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0024</url> </Classification> ... Output Example: ------------------------------ The following is a Snort rule and a sample IDMEF XML message produced. It has been indented using the "indent=true" argument for readability sake. alert TCP any any -> any 80 (msg: "IDS297/http-directory-traversal1"; flags: AP; content: "../"; reference: arachNIDS,IDS297; idmef: default;) <IDMEF-Message version="0.1"> <Alert alertid="329440" impact="unknown" version="1"> <Time> <ntpstamp>0x3a2d8b3a.0x0</ntpstamp> <date>2000-12-05</date> <time>16:41:30</time> </Time> <Analyzer ident="IDS1"> <Node category="dns"> <location>San_Francisco_Network</location> <name>supersnort</name> <Address category="ipv4-addr"> <address>123.234.123.12</address> </Address> </Node> </Analyzer> <Classification origin="vendor-specific"> <name>IDS297/http-directory-traversal1</name> <url>http://www.whitehats.com/info/IDS297</url> </Classification> <Source spoofed="unknown"> <Node> <Address category="ipv4-addr"> <address>222.222.111.11</address> </Address> </Node> </Source> <Target decoy="unknown"> <Node category="dns"> <location>San_Francisco_Network</location> <Address category="ipv4-addr"> <address>123.234.123.7</address> </Address> </Node> <Service ident="0"> <dport>80</dport> <sport>1397</sport> </Service> </Target> <AdditionalData meaning="Packet Payload" type="string">GET ../../stuff/I/shouldnt/be/seeing</AdditionalData> </Alert> </IDMEF-Message> TODO: ---------------------------------------- - Add BEEP (IDXP) transport support. - Add more information to IDMEF messages when Snort's output plugins gain additional access to information gathered and produced by input plugins. FAQ: ----------------------------------------- Q: When I try to run Snort's configure script, I get errors. A1: Make sure you followed the directions in INSTALL.idmef, and pasted the information into configure.in corretly. Also, make sure you ran autoconf. A2: Make sure libxml2, libntp, and libidmef are all installed. See INSTALL.idmef for information on how to get those libraries. Also, make sure the script can find those libraries. You may have to use additional configure options (as described in INSTALL.idmef) to point the script to the library and header file locations. A3: You may need to run "ldconfig /usr/local/lib", delete config.cache in the snort source directory, run configure again. I have found this to happen on OpenBSD. Q: I can configure Snort, but I get errors when trying to compile it. A1: Be sure you are using libxml2, and not libxml1. Check your /usr/local/lib or /usr/lib directories to make sure the links are pointed to libxml2. A2: Did you use the --enable-idmef tag when your ran configure? (This one still gets me... go figure). TESTED PLATFORMS: --------------------------- + Red Hat 6.1, 7.0 + Debian 2.2 running Linux 2.4.2 + OpenBSD 2.6, 2.8 + FreeBSD 4.2 Contact: ------------------------------------- Please feel free to send me questions and comments. Joe McAlerney Silicon Defense joey () silicondefense com http://www.silicondefense.com
Current thread:
- IDMEF and FreeBSD 4.x Robert D. Hughes (Nov 12)
- Re: IDMEF and FreeBSD 4.x Joe McAlerney (Nov 12)
- <Possible follow-ups>
- RE: IDMEF and FreeBSD 4.x Robert D. Hughes (Nov 13)
- Re: IDMEF and FreeBSD 4.x Joe McAlerney (Nov 13)
- RE: IDMEF and FreeBSD 4.x Robert D. Hughes (Nov 13)
- Re: IDMEF and FreeBSD 4.x Joe McAlerney (Nov 14)