Snort mailing list archives
Re: idmef on FreeBSD
From: Joe McAlerney <joey () SiliconDefense com>
Date: Mon, 08 Apr 2002 11:17:34 -0700
Hello Rob, I added some information to the README.IDMEF file pointing folks to the rest of the documentation. We'll may do something different for the next release, scheduled for the end of May or early June, which will include IDXP transport. Thanks, -Joe M. [If someone with cvs access could update README.IDMEF with the attached, that'd be great. Thanks] -- Joe McAlerney Silicon Defense: IDS Solutions Rob Hughes wrote:
All, Just noticed that the INSTALL.idmef file mentioned in README.IDMEF included with snort isn't present in the cvs distribution. Granted, 2 minutes on google got me there, but if you want to head off some needless questions, you might want to include the file. Thanks, Rob _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
IDMEF XML output plugin for Snort, version 0.2.2 Purpose: ---------------------------------------- This plugin converts Snort alerts into Intrusion Detection Message Exchange Format (IDMEF) XML messages. IDMEF was created by the IDWG working group, a part of the IETF. For more information on IDMEF, visit http://www.silicondefense.com/idwg/libidmef/ For additional tools and documentation, download the entire IDMEF plugin package at http://www.silicondefense.com/idwg/snort-idmef/. Files mentioned in this README are included there. Usage: ------------------------------------------ To use this plugin, you must compile it into Snort (see INSTALL.idmef), and activate it in the Snort configuration file. Arguments to the plugin are specified in the "Arguments" section below. You must also specify which rules you wish to generate IDMEF XML messages for. This is done by adding the keyword "idmef", followed by the alert type, to a rule. Current valid alert types are "web", "overflow", and "default". This will allow you to specify different output format types for each type of alert. Some example rules are: alert TCP any any -> any 27665 (msg: "IDS196/trin00-attacker-to-master"; flags: AP; content: "betaalmostdone"; idmef: default;) alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS434/web-iis-unicode-traversal-backslash"; flags: AP; content: "..|25|c1|25|9c"; nocase; idmef: web;) In reality, the alert type is not that important. It was added to allow for further differentiation of alerts in the future. As IDMEF changes, it may be convient to build different types of IDMEF messages, and do different things with them. IDMEF messages are logged to a user-specified file. The next version of this plugin will allow IDMEF messages to be transported over IAP. Arguments: -------------------------------------- Activate the IDMEF XML plugin by adding "idmef" to your Snort configuration file, followed by an argument list. idmef: $HOME_NET key1=value1 key2=value2 key3=value3 ... NOTE: Values may not have spaces in them. For values like "location", use underscores. i.e., location=Client_1_Network $HOME_NET is in the format: <dotted ip address>/<netmask> i.e., 123.234.123.0/24 -= The required keys and their associated values are: =- logto - The location of the file to log the IDMEF XML alerts to. dtd - The location of the IDMEF XML dtd file. analyzerid - A unique identifier of this IDS. output - Specifies whether to use the "alert" or "log" facility -= The optional key's and their associated values are: =- -=- Analyzer specific keys and values -=- category - The domain type that this Analyzer is in. The posible values are: unknown - No relevant domain. Default value ads - Windows 2000 ADS afs - Andrew File System coda - CODA distributed file system dfs - DFS distributed file system dns - Domain Name System kerberos - Kerberos realm nds - Novel Netware nis - Network Information Service (Yellow Pages) nisplus - Network Informations Service Plus nt - Windows NT domain wfw - Windows for Workgroups name - The fully qualified domain name of this IDS equipment. location - The physical location of this IDS. address - The network address of this IDS. netmask - the netmask of the address, if appropriate. address_cat - The type (category) of address provided. The possible values are: unknown - Type not unknown. Default value atm - Asynchronous Transfer Mode network address e-mail - Internet electronic mail address (RFC822) lotus-notes - Lotus Notes address mac - Media Access Control (MAC) address sna - IBM Shared Network Architecture (SNA) address vm - IBM "VM" (PROFS) electronic mail address ipv4-addr - IPv4 host address in dotted-decimal notation (aaa.bbb.ccc.ddd) ipv4-addr-hex - IPv4 host address in hexadecimal ipv4-net - IPv4 network address in dotted-decimal notation, slash, significant bits (aaa.bbb.ccc.ddd/nn) ipv4-net-mask - IPv4 network address and associated network mask ipv6-addr - IPv6 host address ipv6-net - IPv6 network address ipv6-net-mask - IPv6 network address and associated network mask -=- HOMENET specific keys and values -=- homenet_cat - The domain type that the home network is in. The posible values are the same as the Analyzer's "category" above. homenet_loc - The physical location of the home network -=- Alert specific keys and values -=- default - The "default" IDMEF message type rule option. The following value options configure the way these types of alerts are handled. disable - disables the "default" IDMEF message type hex - prints the packet payload for "default" IDMEF message types in hex ascii - prints the packet payload for "default" IDMEF message types in ascii base64 - prints the packet payload for "default" IDMEF message types in base64 web - The "web" IDMEF message type rule option. The following value options configure the way these types of alerts are handled. disable - disables the "web" IDMEF message type hex - prints the packet payload for "web" IDMEF message types in hex ascii - prints the packet payload for "web" IDMEF message types in ascii base64 - prints the packet payload for "web" IDMEF message types in base64 overflow - The "overflow" IDMEF message type rule option. The following value options configure the way these types of alerts are handled. disable - disables the "overflow" IDMEF message type hex - prints the packet payload for "overflow" IDMEF message types in hex ascii - prints the packet payload for "overflow" IDMEF message types in ascii base64 - prints the packet payload for "overflow" IDMEF message types in base64 indent - Specifies whether the XML message should be indented. Keep in mind that whitespace is signifigant in XML. The default value is false. Possible value: true - yep, indent the XML alert alert_id - Path and filename to the file containing the next alert id number, or the place to put alert id numbers if this is the first time this plugin has ran. (defaults to /var/log/alert_id_number) Configuration Examples: ------------------------ In your Snort configuration file, you must activate the IDMEF XML plugin, and pass it arguments. output idmef: 123.234.123.0/24 output=alert logto=/var/log/snort/idmef_alerts.log analyzer_id=IDS1 dtd=/path/to/idmef-message.dtd output idmef: 123.234.123.0/24 output=alert logto=/var/log/snort/idmef_alerts.log analyzer_id=IDS1 dtd=/path/to/idmef-message.dtd category=dns location=San_Francisco_network address=123.234.123.55 address_cat=ipv4-addr web=ascii default=hex homenet_loc=San_Francisco_network homenet_cat=dns Additional Notes: ------------------------------ - I created a crude script (append_idmef.pl) that adds the "idmef" keyword, and an alert type to each rule in a rule set. Unless the rule contains some form of content indicating that it is a web-based rule, the alert type assigned will be "default". - The IDMEF XML plugin can utilize the reference plugin to associate alerts with different identification systems, such as Bugtraq, arachNIDS, and CVE. If a "reference" keyword and value is specified in a rule, the IDMEF XML plugin will include the information in a Classification element of the alert. For example, alert TCP any any -> any 80 (msg: "IDS200/web-iis_encoding"; flags: AP; content: "|25 31 75|"; reference: arachNIDS,IDS200; reference: cve,CVE-2000-0024; idmef: web;) will produce an IDMEF Message with the following Classifications: ... <Classification origin="vendor-specific"> <name>IDS200/web-iis_encoding</name> <url>http://www.whitehats.com/info/IDS200</url> </Classification> <Classification origin="cve"> <name>IDS200/web-iis_encoding</name> <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0024</url> </Classification> ... Output Example: ------------------------------ The following is a Snort rule and a sample IDMEF XML message produced. It has been indented using the "indent=true" argument for readability sake. alert TCP any any -> any 80 (msg: "IDS297/http-directory-traversal1"; flags: AP; content: "../"; reference: arachNIDS,IDS297; idmef: default;) <IDMEF-Message version="0.1"> <Alert alertid="329440" impact="unknown" version="1"> <Time> <ntpstamp>0x3a2d8b3a.0x0</ntpstamp> <date>2000-12-05</date> <time>16:41:30</time> </Time> <Analyzer ident="IDS1"> <Node category="dns"> <location>San_Francisco_Network</location> <name>supersnort</name> <Address category="ipv4-addr"> <address>123.234.123.12</address> </Address> </Node> </Analyzer> <Classification origin="vendor-specific"> <name>IDS297/http-directory-traversal1</name> <url>http://www.whitehats.com/info/IDS297</url> </Classification> <Source spoofed="unknown"> <Node> <Address category="ipv4-addr"> <address>222.222.111.11</address> </Address> </Node> </Source> <Target decoy="unknown"> <Node category="dns"> <location>San_Francisco_Network</location> <Address category="ipv4-addr"> <address>123.234.123.7</address> </Address> </Node> <Service ident="0"> <dport>80</dport> <sport>1397</sport> </Service> </Target> <AdditionalData meaning="Packet Payload" type="string">GET ../../stuff/I/shouldnt/be/seeing</AdditionalData> </Alert> </IDMEF-Message> TODO: ---------------------------------------- - Add BEEP (IDXP) transport support. - Add more information to IDMEF messages when Snort's output plugins gain additional access to information gathered and produced by input plugins. FAQ: ----------------------------------------- Q: When I try to run Snort's configure script, I get errors. A1: Make sure you followed the directions in INSTALL.idmef, and pasted the information into configure.in corretly. Also, make sure you ran autoconf. A2: Make sure libxml2 and libidmef are installed. See INSTALL.idmef for information on how to get those libraries. Also, make sure the script can find those libraries. You may have to use additional configure options (as described in INSTALL.idmef) to point the script to the library and header file locations. A3: You may need to run "ldconfig /usr/local/lib", delete config.cache in the snort source directory, run configure again. I have found this to happen on OpenBSD. Q: I can configure Snort, but I get errors when trying to compile it. A1: Be sure you are using libxml2, and not libxml1. Check your /usr/local/lib or /usr/lib directories to make sure the links are pointed to libxml2. A2: Did you use the --enable-idmef tag when your ran configure? (This one still gets me... go figure). TESTED PLATFORMS: --------------------------- + Red Hat 6.1, 7.0 + Debian 2.2 running Linux 2.4.2 + OpenBSD 2.6, 2.8 + FreeBSD 4.2 Contact: ------------------------------------- Please feel free to send me questions and comments. Joe McAlerney Silicon Defense joey () silicondefense com http://www.silicondefense.com
Current thread:
- idmef on FreeBSD Rob Hughes (Apr 07)
- Re: idmef on FreeBSD Joe McAlerney (Apr 08)