About Snort's XML plug-in experience author: gnicky url: http://blog.9cbs.net/loconfuse Due to the interest of XML, in addition, seeing its good support for XML in Snort, such as using XML files, You can write the file directly to a directory of a certain host, which is operated by the HTTP protocol and the set port, which is different from the general file permission open concept. A further because of the analysis of the Snort log of the XML format, there is an ACID_SNORT_XML tool, which is open source. If such a set of systems can be established, then the XML file is used as the data record carrier, the corresponding set of complete sets Snort-based NIDS can also be built, while in an open source XML analysis tool, combined with .NET XML support continues to work hard to this tool. I have a bunch of, so I will search for information on the Internet. Introduce the use of XML, basically all of them can use XML, basically two ideas, one is to install libidmef, XML The library such as DTD, in short, according to the class, you need to download the library file to download and install it. In the execution .configure, think about it, look at a pile of cicket-2.2.0 configure files. Option item, I don't know if there is any effect. It is impossible to have an effect, because Configure is not concerned about these keywords at all, but in the execution process includes compilation, it will also report the header file to be searched, etc. Comparison. In short, the Kung Fu is used in this scheme, and it is written for long ./configure ---with --- enable --- and so on. After waiting until there is no error, the findings are not as conceive, still do not know the keyword XML's Operation, depressed ... Open Install again, with -openssl (used by the xml outprut plugin) found that XML in full text is so poor And there is --with-libidmeg in install, but there is no commercialized software in .configure. For the methods described in http://www.cert.org/kb/snortxml, it finds that the installation process is very simple. The usage method of the XML plug-in is more detailed, and the XML Plugin that appears after Snort1.6.3, actual It is no longer supported in Release 2.0.0, and the difference between 1.x and 2.x is relatively large, especially in the file layout, detailed description, etc., early PLUGIN source files and statement Plated in the direct directory, now the plugin file is placed in the Plugin of the SRC, there is a central program unified compilation to generate the .out file under Linux (C-compiled executable), where early SPO_XML.C can be found The SPO_XML.H file is no longer included. As for how to use the SPO_XML file to Version 2.0, interested can continue research, welcome to exchange :)
