Snort mailing list archives
Re: Incorrect content-type header in XML output module?
From: roman () danyliw com
Date: Fri, 1 Jun 2001 15:02:26 US/Eastern
Patrick, The "multipart/form-data" was an artifact of the code which was used to parse this HTTPS stream. However, you are correct. The Content-Type should more appropriately read "text/xml". CVS write-access developers: Please commit this attached patch [CVS message: update the Content-Type of the HTTP header to "text/xml" to properly reflect that Snort is sending XML] cheers, Roman
To the snort developers, First off, let me say just how great Snort is. Snort is just great. It is swell and happy and fun. To be honest, I feel ashamed to be complaining about it because otherwise it's just great. But there's one little picky detail that's gotten under my skin lately. I've been using the XML output module and experimenting with pulling the data into PHP via the http protocol. The XML output module for snort 1.7 provides a "Content-type: multipart/form-data" header to the http server, but then dumps the alert in XML format. This creates a problem when the PHP server tries to parse the data in name/value pairs but doesn't find anything resembling the multipart/form-data content type it was promised. By patching the spo_xml.h file (defining CONTENT_TYPE to be anything other than multipart/form-data) I am able to use PHP to directly parse the XML alerts. I would like to suggest that instead of using the incorrect content type as is currently done, the default Content-type be changed to text/xml or something similar to more correctly represent the actual type of content being sent. This would help myself and anyone else wanting to integrate the XML module into a PHP environment. The project I'm working on now (the Cerias Incident Response Database https://www.cerias.purdue.edu/irdb/ ) is heavily based on PHP. Our users are pushing for snort support, and we would like to be able to support it "out of the box". As it stands, anyone who wants to use PHP to parse the XML alerts coming via http would have to modify snort. Thanks in advance, Patrick F. -- "BUGS Flood pinging the broadcast address is not recommended." -- ping(1) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/
Attachment:
spo_xml.h.patch
Description:
Current thread:
- Incorrect content-type header in XML output module? patrick.n.fitzgerald.1 (May 29)
- <Possible follow-ups>
- Re: Incorrect content-type header in XML output module? roman (Jun 01)