[Snort-devel] Problems after 1.8.3 upgrade to 1.8.6

Michael Lafreniere mlafren at ...1261...
Fri Apr 12 15:31:03 EDT 2002

Ok ran it with -T and got:

Log directory = /var/log/snort

Initializing Network Interface xl0
WARNING: OpenPcap() device xl0 network lookup:
        xl0: no IPv4 address assigned

        --== Initializing Snort ==--
Decoding Ethernet on interface xl0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /root/rules

Initializing rule chains...
ERROR line /root/rules (1) => Unknown rule type: ��
Fatal Error, Quitting..

My rule files and snort.conf file are untouched and were downloaded before 
I posted here.  I got them from the snort site with the source code.  I 
went back and set the HOME_NET var to the proper network (like the old one 
was) and still same error.  First file listed is for rules is bad-
traffic.rules which has the first rule of:
alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC tcp port 0 
traffic"; sid:524;  classtype:misc-activity; rev:3;)

Commenting out this line returns same error.  I've recompiled the source 
code from the fresh tar.gz file I downloaded off the snort site and also 
returns same error.

I also cannot run the old snort, 1.8.3 I did a fresh recompile of it and 
it now comes up with the same errors.

Tripwire reports the systems not been compromised, chkrootkit also reports 
nothing even remotely suspisicous.

Thanks to Brian and Erek for replying so fast.

This happened a few days ago, been trying to solve it myself but it's 
beyond me and the boss is asking why hes not getting snort logs (he was on 
mailing list to get them).

Anyways next set of ideas would be greatly appricated :)

-Michael Lafreniere

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Friday, April 12, 2002 2:13 PM
To: Michael Lafreniere
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Problems after 1.8.3 upgrade to 1.8.6

On Fri, 12 Apr 2002, Michael Lafreniere wrote:


> Apr 11 11:53:59 gw snort: Initializing daemon mode
> Apr 11 11:53:59 gw snort: PID stat checked out ok, PID set to /var/run/
> Apr 11 11:53:59 gw snort: Writing PID file to "/var/run/"
> Apr 11 11:53:59 gw snort: FATAL ERROR: ERROR line /root/rules (1) =>
> Unknown rule type: <FA><A8>
> I've greped the rules directory for both versions for <FA><A8> and 
> turns up.  Help!!
> If you need more info please email me and tell me what you need.  Thanks.

First things first:  Relax.  :)  It helps!

It seems that you've got a corrupt rule or corrupt config file.  Don't 
snort with the -D parameter, try starting by hand and using the -T flag.  -
will do a sanity check on all files.  Your error is either on the first 
of your .conf file or the first line of a rules file, if I read your error

Check that and see what you get!

Erek Adams

More information about the Snort-devel mailing list