[Snort-devel] Snort version 2.1.1 on Gentoo

Jason security at ...1585...
Mon Apr 19 19:12:04 EDT 2004


I suspect you are using an old config, http_decode no longer exists and 
has been replaced with http_inspect. Use the updated config that came 
with your 2.1.1 or even better get 2.1.2 from www.snort.org
  and build/use that one.

--- snip ---
Snort 2.1.2 Released  	Brian @ Wed Mar 31 21:56:17 2004 GMT
Good afternoon, snorters!

The Snort Team is proud to officially release Snort v2.1.2. This is a 
bugfix release, and so it is recommended that users upgrade to this new 
release.

Fixes highlighted for this release are as follows:

     * Fixed conversation parsing faults so users can operate this 
preprocessor
     * Detect non-rfc standard chunk encodings (thanks, H.D. Moore 
<hdm at ...2451...>)
     * Detect abnormal HTTP requests with newlines, spaces, etc. before 
the request method (thanks, Kanatoko <anvil at ...2452...>).
     * Fix invalid ptr reference that occurred on Fedora. This should 
also help reduce any false positive 'U Decoding' alerts. (thanks, Owen 
Crow <Owen_Crow at ...2453...>)
     * Fix possible condition where request pipeline URL gets inspected, 
but the rest of a packet doesn't.
     * Fix negative stats output on snort exit or SIGUSR1. (thanks, Owen 
Crow <Owen_Crow at ...2453...> and others)

Thanks to the community for your continued input and comments, as 
always, it is much appreciated!

Happy Snorting,
The Snort Team

Security wrote:
> I'm experiencing some odd issues with snort version 2.1.1, output below.  
> 
> 2.6.4 #4 SMP Mon Apr 12 15:15:30 MDT 2004 i686 Pentium III (Coppermine)
> GenuineIntel GNU/Linux
> 
> Specifically - ERROR:  unknown preprocessor "ð_decode"
> 
> Can anyone provide input or a fix on how to resolve this one?  I'm stumped.
> 
> 
> 
> Initializing Network Interface eth0
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file ./snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     flush_data_diff_size: 500
>     Ports: 21 23 25 53 80 110 111 143 513 1433
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> ERROR:  unknown preprocessor "ð_decode"
> Fatal Error, Quitting..
> 
> Done.
> 
> 
> 
> 
> 
> And if I comment out http_decode it results in the following:
> 
> root at ...2490... snort # snort -T
> Running in IDS mode with inferred config file: ./snort.conf
> Log directory = /var/log/snort
> 
> Initializing Network Interface eth0
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file ./snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     flush_data_diff_size: 500
>     Ports: 21 23 25 53 80 110 111 143 513 1433
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119
> Using LOCAL time
> Segmentation fault
> 
> 
> 
> 





More information about the Snort-devel mailing list