[Snort-users] Error in snort start (Duplicate processor keyword) e-mail number 2

Denis Augusto A. de Souza denis.souza at ...2049...
Fri May 18 15:50:15 EDT 2001


Dear friends,

	My snort start process have problems (yet)!
I want to thank all e-mails received (this's great!!!). 
My problem:

 	And the snort (in your start) send me:


    --== Initializing Snort ==--

Initializing Network Interface eth0
Decoding Ethernet on Interface eth0
Initializing Preprocessors!
ERROR (null) (0) => Duplicate preprocessor keyword!

	I'm sending my snort conf file and the compilation
informations for avaliations.

	Thanks in advance,

          Denis Augusto

--------- Informations ---------

My test system: OPenBSD with libcap.

My snort start teste line: snort -AFull -t / -l /var/log/snort2 
    -M /etc/snort.adms -c /etc/snort.conf

My compilation information:

loading cache ./config.cache
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal... missing
checking for working autoconf... missing
checking for working automake... missing
checking for working autoheader... missing
checking for working makeinfo... found
checking for gcc... (cached) gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ANSI C... (cached) none needed
checking for gcc... (cached) gcc
checking whether the C compiler (gcc -g -O2 ) works... yes
checking whether the C compiler (gcc -g -O2 ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking host system type... i386-unknown-openbsd2.8
checking whether byte ordering is bigendian... (cached) no
checking how to run the C preprocessor... (cached) gcc -E
checking for strings.h... (cached) yes
checking for string.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for unistd.h... (cached) yes
checking for sys/sockio.h... (cached) yes
checking for paths.h... (cached) yes
checking for inet_ntoa in -lnsl... (cached) no
checking for socket in -lsocket... (cached) no
checking whether printf must be declared... (cached) no
checking whether fprintf must be declared... (cached) no
checking whether syslog must be declared... (cached) no
checking whether puts must be declared... (cached) no
checking whether fputs must be declared... (cached) no
checking whether fputc must be declared... (cached) no
checking whether fopen must be declared... (cached) no
checking whether fclose must be declared... (cached) no
checking whether fwrite must be declared... (cached) no
checking whether fflush must be declared... (cached) no
checking whether getopt must be declared... (cached) no
checking whether bzero must be declared... (cached) no
checking whether bcopy must be declared... (cached) no
checking whether memset must be declared... (cached) no
checking whether strtol must be declared... (cached) no
checking whether strcasecmp must be declared... (cached) no
checking whether strncasecmp must be declared... (cached) no
checking whether strerror must be declared... (cached) no
checking whether perror must be declared... (cached) no
checking whether socket must be declared... (cached) no
checking whether sendto must be declared... (cached) no
checking whether vsnprintf must be declared... (cached) no
checking whether strtoul must be declared... (cached) no
checking for snprintf... (cached) yes
checking for strerror... (cached) yes
checking for floor in -lm... (cached) yes
checking for pcap_datalink in -lpcap... (cached) yes
checking for mysql... no
checking for odbc... no
checking for postgresql... no
checking for oracle... no
checking for openssl... yes
checking for u_int8_t... (cached) yes
checking for u_int16_t... (cached) yes
checking for u_int32_t... (cached) yes
checking for a BSD compatible install... /usr/bin/install -c
creating ./config.status
creating Makefile
creating config.h
config.h is unchanged

My snort.conf file:

#--------------------------------------------------
#   http://www.snort.org     Snort 1.7.0 Ruleset
#      Current Database Updated -- 04/04/2001
#  Contact:  Jim Forster - jforster at ...176...
#--------------------------------------------------
# NOTE:This ruleset only works for 1.7.0 and later
#--------------------------------------------------
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
# var HOME_NET 10.1.1.0/24
# or use global variable $<intname>_ADDRESS which
# will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
#
#var HOME_NET $eth0_ADDRESS

var HOME_NET 10.1.0.0/16

# Set up the external network addresses as well.  
# A good start may be "any"...

var EXTERNAL_NET any

# Set up your SMTP servers, or simply configure them 
# to HOME_NET 

var SMTP $HOME_NET

# Set up your web servers, or simply configure them 
# to HOME_NET
var HTTP_SERVERS $HOME_NET
 
# Set up your SQL servers, or simply configure them
# to HOME_NET
var SQL_SERVERS $HOME_NET

# Define the addresses of DNS servers and other hosts 
# if you want to ignore portscan false alarms from them...

#var DNS_SERVERS [192.168.1.1/32,10.1.1.1/32]

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# minfrag: detect small fragments
# -------------------------------
# minfrag takes the minimum fragment size (in bytes)
# threshold as its argument. Fragmented packets at of
# below this size will cause an alert to be generated.
# The functionality of this preprocessor is largely
# superceded by the defrag plugin below.

#preprocessor minfrag: 128

# defrag: defragmentation support
# -------------------------------
# IP defragmentation support from Dragos Ruiu. There
# are no configuration options at this time.

preprocessor defrag

# stream: TCP stream reassembly
# -----------------------------
# TCP stream reassembly preprocessor from Chris Cramer.  
# This preprocessor should always go after the defrag 
# preprocessor, but before http_decode. The example 
# below monitors ports 23 and 80, has a timeout after
# 10 seconds, and will send reassembled packets of max
# payload 16384 bytes through the detection engine. See
# README.tcpstream for more information and configuration
# options. Uncomment the following line and configure 
# appropriately to enable this preprocessor.
#
# NOTE: This code should still be considered BETA!
# It seems to be stable, but there are still some
# issues that remain to be resolved, so make sure you
# keep an eye on your Snort sensor if you enable this plugin

# preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments.

preprocessor http_decode: 80 8080

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS

# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
#
# READ the README.Spade file before using this plugin!
#
# See http://www.silicondefense.com/spice/ for more info
#
# Spade is a Snort plugin to report unusual, possibly 
# suspicious, packets. Spade will review the packets 
# received by Snort, find those of interest (TCP SYNs 
# into your homenets, if any), and report those packets
# that it believes are anomalous along with an anomaly 
# score.  To enable spp_anomsensor, you must have a
# line of this form in your snort configuration file:
#
# preprocessor spade: <anom-report-thresh> <state-file>
# <log-file> <prob-mode> <checkpoint-freq>
#
# DO NOT ENABLE THIS PLUGIN UNLESS YOU HAVE READ THE 
# README.Spade FILE THAT COMES IN THIS DISTRIBUTION AND
# ARE COGENT OF THE PERFORMANCE IMPACT THAT THIS MODULE
# MAY HAVE UPON YOUR NORMAL SNORT CONFIGURATION!
#
# set this to a directory Spade can read and write to
# store its files
#
# var SPADEDIR .
#
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
#
# put a list of the networks you are interested in Spade observing packets
# going to here
#
# preprocessor spade-homenet: 0.0.0.0/0
#
# this causes Spade to adjust the reporting threshold automatically
# the first argument is the target rate of alerts for normal circumstances
# (0.01 = 1% or you can give it an hourly rate) after the first hour (or
# however long the period is set to in the second argument), the reporting
# threshold given above is ignored you can comment this out to have the
# threshold be static, or try one of the other adapt methods below
# preprocessor spade-adapt3: 0.01 60 168
#
# other possible Spade config lines:
# adapt method #1
#preprocessor spade-adapt: 20 2 0.5
# adapt method #2
#preprocessor spade-adapt2: 0.01 15 4 24 7
# offline threshold learning
#preprocessor spade-threshlearn: 200 24
# periodically report on the anom scores and count of packets seen
#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
# print out known stats about packet feature
#preprocessor spade-stats: entropy uncondprob condprob


####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# Note that you can optionally define new rule types and 
# associate one or more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: snort.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=snort dbname=snort host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort

# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring
# and using this plugin.
#
# output xml: log, file=/var/log/snortxml


####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at the following web sites:
#   http://www.snort.org
#   http://www.whitehats.com
#
# The snort web site has documentation about how to 
# write your own custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
#   Max Vision <vision at ...4...> - www.whitehats.com
#   Ron Gula <rgula at ...922...> of Network Security Wizards
#   Martin Markgraf <martin at ...923...>
#   CyberPsychotic <fygrave at ...121...>
#   Nick Rogness <nick at ...176...>
#   Jim Forster <jforster at ...176...>
#   Scott McIntyre <scott at ...315...>
#   Tom Vandepoel <Tom.Vandepoel at ...271...>
#   Brian Caswell <bmc at ...312...>
#
#===============================================
# Include all relevant rulesets here 
# by default virus, policy and info are disabled
#===============================================
# Be sure you have created a local.rules file
# for your includes/ignores, etc.
#===============================================
#include local.rules
include /etc/rules/exploit.rules
include /etc/rules/scan.rules
include /etc/rules/finger.rules
include /etc/rules/ftp.rules
include /etc/rules/telnet.rules
include /etc/rules/smtp.rules
include /etc/rules/rpc.rules
include /etc/rules/rservices.rules
include /etc/rules/backdoor.rules
include /etc/rules/dos.rules
include /etc/rules/ddos.rules
include /etc/rules/dns.rules
include /etc/rules/netbios.rules
include /etc/rules/sql.rules
include /etc/rules/web-cgi.rules
include /etc/rules/web-coldfusion.rules
include /etc/rules/web-frontpage.rules
include /etc/rules/web-misc.rules
include /etc/rules/web-iis.rules
include /etc/rules/icmp.rules
include /etc/rules/misc.rules
include /etc/rules/policy.rules
include /etc/rules/info.rules
include /etc/rules/virus.rules





More information about the Snort-users mailing list