Snort mailing list archives

Previous By Date Next
Previous By Thread Next

reg Snort IDMEF plugin problem, NULL facility

From: Mayank Bhatnagar <mayank () ncb ernet in>
Date: Wed, 30 Mar 2005 15:20:28 +0530 (IST)
hi Snort Users,

I have installed Snort IDMEF plugin. There were some initial problems with 
patching but that were sorted by manually patching the file. I didnt get 
further problems in configure and make, make install. Then I enabled IDMEF 
plugin in configuration in snort.conf, with the following minimum but MUST 
arguments, 

-----------------------------------------------------------
output idmef: 172.16.5.0/24 output=log
logto=/var/log/snort/idmef_alerts.log analyzerid=IDS1
dtd=/data/EIDS/CodeTrials/EC/Tools/snort-idmef/idmef-message.dtd
-----------------------------------------------------------

and ran snort for some time in default alert mode with -dev options, 

I am getting the following error

-----------------------------------------------------------
ERROR: IDMEF: cannot output messages on a NULL facility
-----------------------------------------------------------

I referred for this error in Snort Users archive and found a similar 
posting,

        http://archives.neohapsis.com/archives/snort/2003-09/0565.html

The error refers to the same NULL facility, but there has been no 
answers/reply.

Please suggest what could be problem. I am sure there is some 
configuration problem with respect to the output idmef: plugin. But since 
Snort initially says 

-----------------------------------------------------------
IDMEF: No stored alert id.  Continuing with alert id = 1
Snort IDMEF Plugin successfully initialized
-----------------------------------------------------------

it is sugesting IDMEF has been properly initialised.


My OS: Fedora Core release 2 (Tettnang)
Snort version: snort-2.3.0
snort-idmef version: snort-idmef-plugin-1.2.1alpha2.0.5
Libidmef: libidmef-0.7.3-beta (source bz2)


Regards,
Mayank Bhatnagar
mayank () ncb ernet in

68 Electronics City ,
CDAC (Formerly NCST), 
Bangalore-560100.
Ph: 080-28523300/28520259-1200
Fax: 080-28520239
__________________________________________________________________










-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: