[Snort-openappid] Configuration Problem
jim at w4bqp.net
Sat Jun 17 07:13:10 EDT 2017
I did everything but delete the Snort binary and configuration
directory. But I don't understand deleting the configuration directory.
That's where all my configuration modifications are kept. Do I really
need to re-enter all my configuration data? Please clarify.
Thanks for the help.
On 6/17/2017 2:12 AM, Noah Dietrich wrote:
> Hi Jim,
> I re-ran this install on a new Ubuntu 16 x64 install and did not
> encounter the issue you are seeing, I've tried with the unified2
> settings you have above, and i'm again not able to recreate the
> problem. I suspect that you've either not re-compiled snort with
> OpenAppID support, or you're using a compiled version of snort without
> Did you first delete old version of the snort binary and configuration
> directory before trying to compile snort with OpenAppID? When you
> compiled snort, did you use both options:
> |--||enable||-sourcefire --||enable||-||open||-appid|
> Did you check the output of that command to see if there were any
> issues? I usually run it a second time, as follows to see if any
> software features were not enabled, as follows:
> ./configure --enable-sourcefire --enable-open-appid
> (make sure the output succeded)
> ./configure --enable-sourcefire --enable-open-appid | grep '... no'
> (look for anything that should have been enabled that is not
> enabled. you'll see some no's here, but they aren't required for the
> most part)
> As for the other error you referenced, it's not related to this issue.
> The problem was that if OpenAppID was compiled in, all U2 output was
> version 2 of the unified2 format, which doesn't work with a lot of
> tools out there.
> On Thu, Jun 15, 2017 at 9:27 PM, Jim Campbell <jim at w4bqp.net
> <mailto:jim at w4bqp.net>> wrote:
> Fresh off my success yesterday of getting Snort 22.214.171.124 to work in
> inline IPS mode I decided to upgrade to OpenAppID. I used the
> instructions in
> All went well until I got to the part where I ran Snort in test
> mode to check out my snort.conf changes. (I installed the most
> current version of the Application Detector Package (5411).)
> All went well until I got to this part:
> Finished Loading all dynamic preprocessor libs from
> Log directory = /var/log/snort
> ERROR: Argument Error in /etc/snort/snort.conf(529): appid_event_types
> Fatal Error, Quitting..
> This is the pertinent section of snort.conf:
> # unified2
> # Recommended for most installs
> # output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
> output unified2: filename snort.u2, limit 128
> output unified2: filename snort.log, limit 128, appid_event_types
> Searching for help in the archives I discovered that Noah Dietrich
> had a similar problem but it occurred when he was testing
> Barnyard2. His post is at: http://seclists.org/snort/2016/q1/290
> <http://seclists.org/snort/2016/q1/290> It didn't appear that he
> got an answer.
> Is there an answer or is OpenAppID broken?
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> <mailto:Snort-openappid at lists.snort.org>
> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-openappid