[Snort-devel] 2.1.1 RC1 questions and issues

JP Vossen vossenjp at ...628...
Sat Feb 7 06:27:28 EST 2004

First, a simple one.  The 'time ' option to Performance Statistics is not
described in the comments or the PDF manual.  I assume it is the interval in
second between perf. "snapshots" but it'd be nice to have that in writing.

# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

Speaking of writing, there is a typo in the following in the conf:
# In snort 2.0.1 and above, this only alerts when the a TCP option is detected

"the" or "a"...   Pick one.

Next, I may be doing something wrong or missing something, but it seems to me
that blank lines are not allowed in included files.  That seems very
counterintuitive and wrong.

To demonstrate, comment out ALL the normal variables (may not be necessary to
reproduce, that's just what I did) and include a file with blank lines
(config files suplied off-line on request).  When I do that, I get:

/etc/snort# snort -T -c ./snort.conf
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

Initializing rule chains...
ERROR: jp_variables.conf(18) => Unknown rule type:
Fatal Error, Quitting..

Change the blank lines around--the first one will be listed in the above
error.  I sometimes also get this error during the same test, but I don't know

ERROR: jp_variables.conf(6) => NULL rule type

The work-around is trivial, place a comment (#) on each otherwise blank line.
But it's really confusing and the error message is misleading...

Also, I'm getting the following, which I tracked down to missing files in the
RPM spec file, which I've reported to myself and Dan. :-)

ERROR: ./snort.conf(292) => Invalid file name for IIS Unicode Map file.

The 'snort-2.1.1-RC1/etc/generators' tarball file is out of date for for
maintainer and actual generators (e.g. 119 = TBA).  Not sure if anyone cares.

What is 'snort-2.1.1-RC1/etc/sid' supposed to be?  Just wondering.

Where is this threshold coming from?  Not that I think it's a bad idea, but I
can't find it in my default config files.  Is it hard coded?  If so, wouldn't
it be better to 'hard code' into the conf file so that it can be trivially
disabled if needed?  Or am I missing something?

/etc/snort# snort -T -c ./snort.conf 2>&1 | grep -B1  2275
| gen-id=1  sig-id=2275   type=Threshold tracking=dst count=5   seconds=60

When using a MySQL backend, should -T return something like this:
database: Closing connection to database""
database: Closing connection to database ""
database: Closing connection to database ""
database: Closing connection to database "d/Reserved IP protocol"

FWIW, this all came about when upgrading my internal and honeypot configs from
2.0.1 (yeah, I know) to 2.1.1-RC1.  With the above minor exceptions, and
starting with brand new 2.1.1 config files, everything worked like a charm.

JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?

More information about the Snort-devel mailing list