[Snort-users] ERROR: OpenPcap() FSM compilation failed:

Martin Roesch roesch at ...421...
Mon Mar 26 20:02:19 EST 2001


You need to set the switches like this:

/usr/sbin/snort -v -c snort.conf

The -v switch doesn't take any arguments so Snort thinks you're trying
to hand it a command line BPF filter.

Incidentally, running a -v switch when in IDS mode (-c) dramatically
reduces Snort's performance.

    -Marty

Aaron McKinnon wrote:
> 
> Just downloaded the latest version of snort.conf and all the rules. I
> untarred them into /etc/snort/rules_conf, changed the new snort.conf file to
> match my system, and tried to fire snort up and I'm getting a strange error:
> 
> [root at ...1377... rules_conf]# /usr/sbin/snort -c -v snort.conf
> 
>         --== Initializing Snort ==--
> 
> Initializing Network Interface eth0
> ERROR: OpenPcap() FSM compilation failed:
>         parse error
> PCAP command: snort.conf
> 
> I am including the un-commented sections of my snort.conf. All of the new
> rules live in the same dir as the conf file. Ideas???
> 
> var HOME_NET $eth0_208.158.118.150
> var HOME_NET 208.158.118.0/24
> var EXTERNAL_NET any
> var SMTP 208.158.118.2
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> preprocessor defrag
> preprocessor http_decode: 80 8080
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> include local.rules
> include exploit.rules
> include scan.rules
> include finger.rules
> include ftp.rules
> include telnet.rules
> include smtp.rules
> include rpc.rules
> include rservices.rules
> include backdoor.rules
> include dos.rules
> include ddos.rules
> include dns.rules
> include netbios.rules
> include sql.rules
> include web-cgi.rules
> include web-coldfusion.rules
> include web-frontpage.rules
> include web-misc.rules
> include web-iis.rules
> include icmp.rules
> include misc.rules
> 
> Thanks for any help.
> 
> -Aaron
> 
> -----------------------------------
> Aaron McKinnon
> System Administrator
> Fullerene Productions, Inc.
> 3250 Wilshire Blvd. Suite 2000
> Los Angeles, CA 90010
> 213.365.1692
> -----------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list