Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: About IDMEF XML

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Mon, 14 Apr 2003 08:09:47 +0200
Hi lucy,

ran into the same prob (IDMEF(): not an IDMEF rule, returning), but
re-reading README.idmef solved it: For each rule you have to add something
like
 idmef:default;
so the idmef plugin is used, e.g.

alert icmp any any -> any any (msg:"Test";idmef:default;)

About the segfault I'm currently investigating what's happening. Try using
ElectricFence (which is shipped with my RedHat installation) and link snort
against it, this might show you some more info (btw, I'm running snort
2.0.0rc4 with idmef plugin).

HTH,
Sandro


Hi,
  I run snort(snort-1.9.0-idmef-1.1) in debug state
and get some messages:
 IDMEF: IDMEF output facility = alert
 IDMEF: IDMEF XML dtd = idmef-message.dtd
 IDMEF: IDMEF analyzerid = IDS1
 IDMEF: Indented output: true
 IDMEF: IDS alert_id file = /var/log/alert_id_num
 IDMEF: Done parsing args
 getStoredAlertID: Stored alert ID not found in
/var/log/alert_id_num, continuing with alert ID = 1
 idmef: No stored alert id.  Continuing with alert id
= 1
!!!!!!!1334 Snort rules read...
1334 Option Chains linked into 147 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order:
->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.9.0 (Build 209)
By Martin Roesch (roesch () sourcefire com,
www.snort.org)
IDMEF(): Unknown caller type, returning
IDMEF(): Unknown caller type, returning
IDMEF(): not an IDMEF rule, returning
IDMEF(): not an IDMEF rule, returning
IDMEF(): not an IDMEF rule, returning
IDMEF(): not an IDMEF rule, returning
IDMEF(): not an IDMEF rule, returning
IDMEF(): not an IDMEF rule, returning
Segmentation fault
  Now alert_id_number is more(in /var/log),while
alert_id_num is empty. idmef-messages.log is empty
too.
  What wrong with me ?
  BTW,configure snort with option --enable-idmef
--enable-debug --with-libxml2-includes=dir1
--with-libidmef-includes=dir2
--with-libntp-libraries=dir3
      configure libidmef with option --enable-debug
--with-libxml2-includes=dir1
      rules are modified by append_idmef.pl(provided
by idmef-xml-plugin-0.2.2.tar.gz).
     Any reply is welcome and appreciated.

Lucy

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of 
TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you 
feeling lost and 
disoriented. TotalView can help you find your way. Available 
on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: