146
Chapter 4 Plugins, Preprocessors and Output Modules
4.2.6
The XML Output Module
The Simple Network Modeling Language (SNML) is available for exporting
Snort alerts so they can be read and interpreted by any XML based interpreter or
browser. Information about Snort XML plug in is available at http://www.cert.org/kb/
snortxml/. At the time of writing this book, version 0.2 of SNML DTD is available from
this web site and is also available in Appendix E.
Using this plug in, you can save XML data in a file on the local machine or send it
to a web server using HTTP or HTTPS protocols.
General format of using XML output plug in is as follows:
output xml: [log | alert], [parameter list]
You can use either log or alert option with XML module. In case of alert, only
alert messages will be logged. Other parameters that can be used with this plug in are
listed in Table 4 1.
Table 4 1 Parameters Used with XML Module
Parameter
Description
File
Stores data to an XML file.
Protocol
Logs message to some other host using that protocol. Important protocols are HTTP,
HTTPS, and TCP. When you use HTTP protocol, you also need to specify a file
parameter. Data will be logged to the HTTP server using the POST method in the
specified file. If you want to use HTTPS protocol, you also need to provide file, cert,
and key parameters for secure logging. If you use TCP protocol, a server must be lis
tening to a parrot specified with port parameter.
Host
Defines remote host where data will be logged.
Port
Defines the port number on the remote host where data will be logged. Default port
numbers for HTTP, HTTPS, and TCP are 80, 443, and 9000 respectively.
Cert
This is the certificate to be used with HTTPS protocol. It is X.509 client certificate.
Key
The client private key.
Ca
The server certificate used for authentication.
Server
The Common Name or CN for X.509 certificate.
Note that XML output is important for much web application development and for inte
grating Snort into such systems. Some Snort XML parsers exist, including ACID XML at http://
www.maximumunix.org, although these are still in their infancy.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved