From: Prachid T. (prachidcscoms.net)
Date: Sun Sep 28 2003 - 10:02:14 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,
I tried to bring my snort + idmef up.
But, so far, snort process was dead with this error

Sep 28 16:28:00 biff snort: FATAL ERROR: IDMEF: cannot output messages on a NULL facility

I'm runing snort-2.0.2 with IDMEF XML output plugin for Snort, version 0.2.2.
I can complie both of them without problem. This is the snort's configuration line...

$ ./configure --prefix=/usr/local/snort --mandir=/usr/local/man --enable-idmef
 --with-libxml2-includes=/usr/local/include --with-libxml2-libraries=/usr/local/lib

The following alert is received and snort is dead.... (/var/log/snort/alert)

[**] [1:1411:3] SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/29-00:11:49.034901 192.168.0.50:1074 -> 192.168.0.1:161
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:117 DF
Len: 89
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013][Xref => ht
tp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012][Xref => http://cve.mi
tre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517]

and snort is dead!

This is the IDMEF setting in my snort.conf file.

output idmef: $HOME_NET logto=/var/log/snort/idmef_alerts.log dtd=/usr/local/sno
rt/etc/idmef-message.dtd analyzerid=IDS1 output=alert name=biff default=ascii in
dent=true

Do you have any idea where I stuck?

Prachid T.

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]