[Snort-devel] Error on 1.8.7beta2 (Build 114) (Immediate exit after initialization)

Rob Hughes rob at ...825...
Sat May 11 10:30:04 EDT 2002


All,

Built from CVS this morning. Now I get this error within 1-2 seconds of
starting snort:


/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -deX -L
snort.log -i dc0
Log directory = /var/log/snort

Initializing Network Interface dc0

        --== Initializing Snort ==--
Decoding Ethernet on interface dc0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: ACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports:
21 22 23 25 53 80 110 111 143 513 8880
Back Orifice detection brute force: DISABLED
Using LOCAL time
ProcessFileOption: /var/log/snort/alert
Linking FullAlert functions to call lists...
1325 Snort rules read...
1325 Option Chains linked into 165 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.7beta2 (Build 114)
By Martin Roesch (roesch at ...402..., www.snort.org)
exhausted all 0 blocks of 1 treeroots; exiting; you might want to
increase DEFAULT_MAX_ROOT_BLOCKS or DEFAULT_ROOT_BLOCK_SIZE in params.h
next free root: 0; int: 0, leaf: 0

ns2# uname -a
FreeBSD ns2.robhughes.com 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #10: Fri
May 10 01:14:32 CDT 2002    
root at ...1369...:/usr/obj/usr/src/sys/FWDIPFMKI  i386

ns2# cat snort.conf
#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.6 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.77.2.11 2002/04/22 23:48:19 cazz Exp $

var HOME_NET [12.237.138.77/32,192.168.1.0/24,192.168.0.1/24]

var EXTERNAL_NET !$HOME_NET

var SMTP [x.x.x.x/32,x.x.x.x/32]

var HTTP_SERVERS [x.x.x.x/32,x.x.x.x/32]

var SQL_SERVERS $HOME_NET

var DNS_SERVERS [x.x.x.x/32,x.x.x.x/32,x.x.x.x/32]

var DNS x.x.x.x/32 x.x.x.x/32 x.x.x.x/32

var RULE_PATH ./rules

var SHELLCODE_PORTS !80

preprocessor frag2

preprocessor stream4: detect_scans

preprocessor stream4_reassemble:both,ports 21 22 23 25 53 80 143 110 111
513 8880

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111 32771

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS

#Still learning to tune this bit

preprocessor spade-adapt2: 0.01 15 4 24 7
preprocessor spade-threshlearn: 200 24
preprocessor spade-survey:  $SPADEDIR/survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob

preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: x.x.x.x 0:c0:f0:3c:2f:3e
preprocessor arpspoof_detect_host: x.x.x.x 0:2:fc:86:80:8c

output alert_full: alert

output trap_snmp: alert, 7, trap -v 2c -p 162  listener string

#
# For SNMPv2c informs
#
#output trap_snmp: alert, 7, inform -v 2c -p 162  myTrapListener
myCommunity
#
# For SNMPv3 traps with
# security name = snortUser
# security level = authentication and privacy
# authentication parameters :
#           authentication protocol = SHA ,
#           authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters
#           privacy protocol = DES,
#           privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -p 162 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
#For SNMPv3 informs with authentication and encryption
#output trap_snmp: alert, 7, inform -v 3 -p 162 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

# You can optionally define new rule types and associate one or
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";)
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
LEET"; \
#   flags:A+;)

#
# Include classification & priority settings
#

include classification.config



include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules


Nothing else other than rebuilding snort has changed since the previous
build.

Regards,
Rob





More information about the Snort-devel mailing list