Snort mailing list archives
AW: Snort+IDMEF...need help!
From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Mon, 29 Sep 2003 07:52:58 +0200
Prached, Take a look at sourceforge.net/projects/snort-idmef where I provide a new version. HTH, Sandro Hi all, I tried to bring my snort + idmef up. But, so far, snort process was dead with this error Sep 28 16:28:00 biff snort: FATAL ERROR: IDMEF: cannot output messages on a NULL facility I'm runing snort-2.0.2 with IDMEF XML output plugin for Snort, version 0.2.2. I can complie both of them without problem. This is the snort's configuration line... $ ./configure --prefix=/usr/local/snort --mandir=/usr/local/man --enable-idmef --with-libxml2-includes=/usr/local/include --with-libxml2-libraries=/usr/local/lib The following alert is received and snort is dead.... (/var/log/snort/alert) [**] [1:1411:3] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] 09/29-00:11:49.034901 192.168.0.50:1074 -> 192.168.0.1:161 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:117 DF Len: 89 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref> => ht tp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012][Xref => http://cve.mi <http://cve.mi> tre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517] and snort is dead! This is the IDMEF setting in my snort.conf file. output idmef: $HOME_NET logto=/var/log/snort/idmef_alerts.log dtd=/usr/local/sno rt/etc/idmef-message.dtd analyzerid=IDS1 output=alert name=biff default=ascii in dent=true Do you have any idea where I stuck? Prachid T.
Current thread:
- AW: Snort+IDMEF...need help! Poppi, Sandro (Sep 29)