Snort mailing list archives

Re: Incorrect content-type header in XML output module?

From: roman () danyliw com
Date: Fri, 1 Jun 2001 15:02:26 US/Eastern

Patrick,

The "multipart/form-data" was an artifact of the code which
was used to parse this HTTPS stream.  However, you are
correct.  The Content-Type should more appropriately read
"text/xml".

CVS write-access developers: Please commit this attached patch

[CVS message: update the Content-Type of the HTTP
header to "text/xml" to properly reflect that Snort is sending
XML]

cheers,
Roman

To the snort developers,

First off, let me say just how great Snort is. Snort is just great. It is
swell and happy and fun. To be honest, I feel ashamed to be complaining
about it because otherwise it's just great. But there's one little picky
detail that's gotten under my skin lately.

I've been using the XML output module and experimenting with pulling the
data into PHP via the http protocol. The XML output module for snort 1.7
provides a "Content-type: multipart/form-data" header to the http server,
but then dumps the alert in XML format. This creates a problem when the
PHP server tries to parse the data in name/value pairs but doesn't find
anything resembling the multipart/form-data content type it was promised.

By patching the spo_xml.h file (defining CONTENT_TYPE to be anything
other than multipart/form-data) I am able to use PHP to directly parse
the XML alerts. I would like to suggest that instead of using the
incorrect content type as is currently done, the default Content-type be
changed to text/xml or something similar to more correctly represent the
actual type of content being sent.

This would help myself and anyone else wanting to integrate the XML module
into a PHP environment. The project I'm working on now (the Cerias
Incident Response Database https://www.cerias.purdue.edu/irdb/ ) is heavily
based on PHP. Our users are pushing for snort support, and we would like
to be able to support it "out of the box". As it stands, anyone who wants
to use PHP to parse the XML alerts coming via http would have to modify
snort.

Thanks in advance,
Patrick F.

--
"BUGS
     Flood pinging the broadcast address is not recommended." -- ping(1)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/

Attachment: spo_xml.h.patch
Description:

Current thread:

Incorrect content-type header in XML output module? patrick.n.fitzgerald.1 (May 29)
- <Possible follow-ups>
- Re: Incorrect content-type header in XML output module? roman (Jun 01)