[Snort-users] reg Snort IDMEF plugin problem, NULL facility

Mayank Bhatnagar mayank at ...9923...
Wed Mar 30 01:28:11 EST 2005

hi Snort Users,

I have installed Snort IDMEF plugin. There were some initial problems with 
patching but that were sorted by manually patching the file. I didnt get 
further problems in configure and make, make install. Then I enabled IDMEF 
plugin in configuration in snort.conf, with the following minimum but MUST 

output idmef: output=log
logto=/var/log/snort/idmef_alerts.log analyzerid=IDS1

and ran snort for some time in default alert mode with -dev options, 

I am getting the following error

ERROR: IDMEF: cannot output messages on a NULL facility

I referred for this error in Snort Users archive and found a similar 


The error refers to the same NULL facility, but there has been no 

Please suggest what could be problem. I am sure there is some 
configuration problem with respect to the output idmef: plugin. But since 
Snort initially says 

IDMEF: No stored alert id.  Continuing with alert id = 1
Snort IDMEF Plugin successfully initialized

it is sugesting IDMEF has been properly initialised.

My OS: Fedora Core release 2 (Tettnang)
Snort version: snort-2.3.0
snort-idmef version: snort-idmef-plugin-1.2.1alpha2.0.5
Libidmef: libidmef-0.7.3-beta (source bz2)

Thanks & Regards,
Mayank Bhatnagar
mayank at ...9923...

68 Electronics City ,
CDAC (Formerly NCST), 
Ph: 080-28523300/28520259-1200
Fax: 080-28520239

More information about the Snort-users mailing list