Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: reg Snort IDMEF plugin problem, NULL facility

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Wed, 30 Mar 2005 13:01:39 +0200
Mayang,

Please try this in snort.conf:

output idmef: 172.16.5.0/24 output=log
facility_default=file|/var/log/snort/idmef_alerts.log analyzerid=IDS1
dtd=/data/EIDS/CodeTrials/EC/Tools/snort-idmef/idmef-message.dtd

The logto option is deprecated, but I've not yet updated the documentation,
sorry ;)

I'm currently working on a complete rewritten version of snort-idmef which
also includes lot's of additional information generated in the IDMEF
message, and it will reflect the current IDMEF draft 14.

I'll also update the documentation to reflect the new settings.

Best regards,
Sandro
-----Ursprüngliche Nachricht-----
Von: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] Im Auftrag von Mayank
Bhatnagar
Gesendet: Mittwoch, 30. März 2005 12:00
An: snort-users () lists sourceforge net
Betreff: [Snort-users] reg Snort IDMEF plugin problem, NULL facility


hi Snort Users,

I have installed Snort IDMEF plugin. There were some initial problems with 
patching but that were sorted by manually patching the file. I didnt get 
further problems in configure and make, make install. Then I enabled IDMEF 
plugin in configuration in snort.conf, with the following minimum but MUST 
arguments, 

-----------------------------------------------------------
output idmef: 172.16.5.0/24 output=log logto=/var/log/snort/idmef_alerts.log
analyzerid=IDS1
dtd=/data/EIDS/CodeTrials/EC/Tools/snort-idmef/idmef-message.dtd
-----------------------------------------------------------

and ran snort for some time in default alert mode with -dev options, 

I am getting the following error

-----------------------------------------------------------
ERROR: IDMEF: cannot output messages on a NULL facility
-----------------------------------------------------------

I referred for this error in Snort Users archive and found a similar 
posting,

        http://archives.neohapsis.com/archives/snort/2003-09/0565.html

The error refers to the same NULL facility, but there has been no 
answers/reply.

Please suggest what could be problem. I am sure there is some 
configuration problem with respect to the output idmef: plugin. But since 
Snort initially says 

-----------------------------------------------------------
IDMEF: No stored alert id.  Continuing with alert id = 1
Snort IDMEF Plugin successfully initialized
-----------------------------------------------------------

it is sugesting IDMEF has been properly initialised.


My OS: Fedora Core release 2 (Tettnang)
Snort version: snort-2.3.0
snort-idmef version: snort-idmef-plugin-1.2.1alpha2.0.5
Libidmef: libidmef-0.7.3-beta (source bz2)


Thanks & Regards,
Mayank Bhatnagar
mayank () ncb ernet in

68 Electronics City ,
CDAC (Formerly NCST), 
Bangalore-560100.
Ph: 080-28523300/28520259-1200
Fax: 080-28520239
__________________________________________________________________











-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: