 |
CERT Knowledgebase
Snort XML Plug-in
This web page contains the latest information about XML support for the snort intrusion detection system. The XML plug-in was introduced into snort after the 1.6.3 release. You can always find the most up to date version of this plug-in by downloading the development version of snort from CVS.The XML plug-in enables snort to log in SNML - simple network markup language [v0.1] [v0.2] aka (snort markup language) to a file or over a network. The DTD is available at:
http://www.cert.org/DTD/snml-0.1.dtdYou can use this plug-in with on one or more snort sensors to log to a central database and create an intrusion detection infrastructure within your network. The plugin will also enable you to automatically report alerts to the CERT Coordination Center, your response team, or your managed IDS provider.
http://www.cert.org/DTD/snml-0.2.dtd.
This plugin was developed at the CERT Coordination Center as part of the AIRCERT project. We encourage you to visit the AIRCERT website for more information on how you can benefit from participating in the AIRCERT prototype.
The SNML DTD is in its early phases of development and is likely to be modified as it undergoes public scrutiny. Be aware of this as you develop analysis applications.
Installing and configuring XML support in snort
Purpose:
This plug-in enables snort to log XML data to a file or
to a remote server.
Arguments:
output xml: [log | alert], [parameter list]
[log | alert ] selects whether the plugin use the alert or
log facility.
The [parameter list] consists of key value pairs. The proper
format is a list of key=value pairs each separated a space.
file - when this is the only parameter it will log to
a file on the local machine. Otherwise, if
http or https is employed (see protocol), this is
the script which is to be executed on the remote host.
protocol - The possible values for this field are
http - send a POST over HTTP to a webserver
(required: a [file] parameter)
https - just like http but ssl encrypted and
mutually authenticated.
(required: a [file], [cert], [key] parameter)
tcp - A simple tcp connection. You need to
use some sort of listener
(required: a [port] parameter)
iap - An implementation of the Intrusion Alert
Protocol
host - remote host where the logs are to be sent
port - The port number to connect to
(default ports are)
http 80
https 443
tcp 9000
iap 9000
cert - the client X.509 certificate to use with https (PEM formatted)
key - the client private key to use with https (PEM formatted)
ca - the CA certificate used to validate the https server's
certificate (PEM formatted)
server - the (Common Name/CN) from the Subject of the X.509 certificate
identifying the only server with which to communicate.
sanitize - The argument is a a network/netmask combination for an
IP range you wish to be sanitized in the output. Any IP
address within the range you specify will be represented
as "xxx.xxx.xxx.xxx". You can use sanitize multiple times
to represent multiple IP ranges.
Examples:
output xml: log, file=output
output xml: alert, protocol=http host=air.cert.org file=aircert.cgi
output xml: log, protocol=https host=air.cert.org file=aircert cert=mycert.crt key=mykey.pem ca=ca.crt server=Report_server
output xml: log, protocol=tcp host=air.cert.org port=1234
PROTOCOL tcp http https iap
=======================================================
| file || no | required | required | no |
| -------||----------|----------|----------|----------|
| host || required | required | required | required |
|--------||----------|----------|----------|----------|
| port || required | optional | optional | optional |
|--------||----------|----------|----------|----------|
| cert || no | no | required | optional |
|--------||----------|----------|----------|----------|
| key || no | no | required | optional |
|--------||----------|----------|----------|----------|
| ca || no | no | required | optional |
|--------||----------|----------|----------|----------|
|server || no | no | required | no |
|--------||----------|----------|----------|----------|
|sanitize|| optional | optional | optional | optional |
=======================================================
Effect:
Snort generated output will be converted into XML and written
to the appropriate medium.
Comments:
Change Log:
08/14/2000 : Initial Release
TODO:
- still need to get IAP working
- add expiration dates/CRL into server certificate validation
- accept parameters with spaces
- real queue management on alerts: batching, using congestion feedback
Please direct any feedback to the snort-users mailing list or you can contact the authors directly.
- Roman Danyliw <rdd@cert.org>
- Jed Pickel
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability,, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Copyright 2000 Carnegie Mellon University
The CERT Coordination Center is part of the Networked Systems Survivability Program in the Software Engineering Institute, a federally funded research and development center at Carnegie Mellon University.
The CERT/CC is a member of the Carnegie Mellon Institute for Survivable Systems (CMISS) team.
Last updated November 15, 2001
Disclaimers and copyright information
