[Snort-users] reg Snort IDMEF plugin problem, NULL facility

Mayank Bhatnagar mayank at ...9923...
Wed Mar 30 05:18:50 EST 2005


hi Snort Users,

I have installed Snort IDMEF plugin. There were some initial problems with 
patching but that were sorted by manually patching the file. I didnt get 
further problems in configure and make, make install. Then I enabled IDMEF 
plugin in configuration in snort.conf, with the following minimum but MUST 
arguments, 

-----------------------------------------------------------
output idmef: 172.16.5.0/24 output=log
logto=/var/log/snort/idmef_alerts.log analyzerid=IDS1
dtd=/data/EIDS/CodeTrials/EC/Tools/snort-idmef/idmef-message.dtd
-----------------------------------------------------------

and ran snort for some time in default alert mode with -dev options, 

I am getting the following error

-----------------------------------------------------------
ERROR: IDMEF: cannot output messages on a NULL facility
-----------------------------------------------------------

I referred for this error in Snort Users archive and found a similar 
posting,

	http://archives.neohapsis.com/archives/snort/2003-09/0565.html

The error refers to the same NULL facility, but there has been no 
answers/reply.

Please suggest what could be problem. I am sure there is some 
configuration problem with respect to the output idmef: plugin. But since 
Snort initially says 

-----------------------------------------------------------
IDMEF: No stored alert id.  Continuing with alert id = 1
Snort IDMEF Plugin successfully initialized
-----------------------------------------------------------

it is sugesting IDMEF has been properly initialised.


My OS: Fedora Core release 2 (Tettnang)
Snort version: snort-2.3.0
snort-idmef version: snort-idmef-plugin-1.2.1alpha2.0.5
Libidmef: libidmef-0.7.3-beta (source bz2)


Regards,
Mayank Bhatnagar
mayank at ...9923...

68 Electronics City ,
CDAC (Formerly NCST), 
Bangalore-560100.
Ph: 080-28523300/28520259-1200
Fax: 080-28520239
__________________________________________________________________












More information about the Snort-users mailing list