Experience with Snort-1.8.0

Experience with Snort-1.8.0

Author Gnicky URL: http://blog.9cbs.net/loconfuse

Recently written things are more like a record process, this is my thinking habit, maybe you are not like this -) In a sense, I originally wanted to build a SPO_XML.out's output plugin by Snort-1.8, then Let it work in Snort 2.0 (the compiled part is given to 1.8, only when the keyword registration is registered, this should be used in 2.0 using XML Output Plugin, some adventive ideas)

The result is tossing, according to the candle, the display, the No.8 version of the output plug-in is made, and it is not necessary to come. If you want to come, you can try XML output in this directory. I always worry about this version 1.8 version, the upgrade of the version inevitably solves many bugs, high versions are generally stable and safe than the low version. However, for Snort, the high version is better than the low version, maybe it has also added some characteristics, but I haven't learned it yet, I haven't learned it.

Use XML Output Plugin:

Modify the rule file, use RedALERT, use XML plug-in in RedALERT: Output XML; log, file = / var / log / snortxml, run, go to var / log to discover a bunch of XML files, how actually does not follow A focus of an XML file? Observing documents found that only the format of the XML file did not record data, the date of creation of the file is today. But accidentally discovered that there were some XML log files above, and the time was yesterday, I thought the failure yesterday, I actually produced a Alert.xml file? It is also very wonderful. The content is divided into bizarre, even a standard XML framework is not, is less .

The name rules of the XML log file are like this: file name defined in confed Date @ Number (self-growth). Since a Linux system installed 3, 4 different versions of Snort, they were also somewhat dizzy, and the XML logs yesterday were generated by Snort 2.2.0, maybe the XML Plugin implantation 2.2.0 at that time, but Now 2.2 is still can't stand up, that 2.2.0 is because certain modifications, actually a plugin of Detection, Unknown Preprocessor "HTTP Inspect", Unknown Preprocessor "HTTP Inspect Server".

Solving data Unable to enter XML issues:

If there is no data in your XML log file, you can try it, according to the content of the XML file, it should be the storage path of the DTD format file, so the SNML file from the CONTRIB Copy to the main directory, the result is in / var / log Discover a 2.5M file J

Next, the XML file DTD and Content are simply analyzed. First, through the part of the part intercepted in XML log, learn: (some things, I am also guess, I hope to get everyone's corrective)

------------------ The basic structure corresponds to

------ Event Generate Log Action, Many Event Types

- Some of The Libpcap's Property-Default Full / Fast ETC

Eth0 - Eth0 Enternet ONE

192.168.0.59 ipv4

Loc *** Domain Your Listening Host

.

FTP MDTM overflow Attempt --- The Content Is The Msg in Rulesj

2005-01-31 22: 27: 06 08

05820103

000101

00000000000000000101

eth0

192.168.0.59

Loca *** / hostname>

FTP MDTM overflow Attempt >

2005-01-31 22: 27: 06 08

00041F97000000004745 ---- All option is currently not learn 7C6C623A307C2A7C313130373039343738363535362E3132397C7069643A33312D372D31352D332D313333343030377C66696E616E63652E73722F73746F636B2F686B73746F636B6E6577732F32303035303133312F30343337313333343030372E7368746D6C7C73743A39362E3332357C65743A313130373039343836353732377C7C68703A756E6B6F776E7C6C623A307C2A7C313130373039343738363535362E3132397C7069643A33312D372D382D302D313333343533327C66696E616E63652E73722F73746F636B2F792F32303035303133312F30383231313333343533322E7368746D6C7C73743A36322E3434327C65743A313130373039343938303531337C33312D372D31352D332D313333343030377C68703A756E6B6F776E7C6C623A307C2A7C313130373039343738363535362E3132397C7069643A33312D31322D322D302D313333343233307C66696E616E63652E73722F672F32303035303133312F30363434313333343233302E7368746D6C7C73743A32352E3331357C65743A313130373039353139373339317C33312D372D382D302D313333343533327C68703A756E6B6F776E7C6C623A307C2A7C313130373039343738363535362E3132397C7069643A33 312D372D382D302D313332383634367C66696E616E63652E73722F73746F636B2F792F32303035303132382F30313430313332383634362E7368746D6C7C73743A33332E3936 - this pile of stuff one can translate it?

Look at the description in DTD:

It will understand the current structure, and Reference * is not here. Why is it *, don't understand, but find a point about the deferne file, sp_reference has been deleted in subsequent versions. This is the same as the analysis of the disappearance of the file. It can be seen that the implicit problem is implicitly handled when the Snort is designed.

I want to care about the analyzer, I should care about Data Element.

You can choose to see Data content format, such as the HEX, Base64, the most time space ASCII, just nothing can be easily read, because of the hierarchical problem of data acquisition, this and the network ISO model /