[Snort-users] snort/demarc; Unknown config: reference

Scott Kapel skapel at ...7955...
Thu Jan 9 10:40:42 EST 2003


Hello, all,

I've installed snort 1.8 with DEMARC 1.05 on redhat 7.2. I changed the mysql
database to add the sensor.last_cid field, and changed the schema version
from 104 to 106 to accomodate the signatures changes from the snort 1.9
signatures. I've done this many times before with no problems.

snort will run on its own just fine. However, when I try to start DEMARC, it
exits with a snort-derived error as follows:

==========
Starting first iteration at Thu Jan  9 12:13:59 2003
Checking if Snort is running and if rules have been updated
Found snort pid file, checking to see if snort is really running...
Checking if snort is running at PID: 990
PS output:   PID TTY      STAT   TIME COMMAND

snort is NOT running
Attempting to start snort
Error: Unknown config: reference
Fatal Error, Quitting..
Checking if snort is running at PID: 1117
PS output:   PID TTY      STAT   TIME COMMAND

snort is NOT running
Snort won't start!
Snort won't start!
==========

Nothing useful gets logged to any log file. However, what seems to be
happening is that when DEMARC inserts the signatures into it's
auto-generated snort.conf file, snort is barfing over the "reference:"
keyword in the signatures. This is the standard "reference:arachnids",
"reference:url", etc. that as far as I know has always been a part of the
signatures.

The truly baffling part is that several other sensors that I have with what
I believe to be an identical setup on them do not have this problem, and
they also have the reference keywords.

Have I just missed something obvious, or does anyone have any ideas why this
is happening? I'd truly appreciate some help.

P.S., a Google search for that error produced only one relevant listserv
entry which no one answered... :(

Thanks in advance,
Scott





More information about the Snort-users mailing list