[Snort-users] snort-2.1.0 upgrade error

Peggy Kam ppkam at ...11126...
Thu Feb 5 10:49:20 EST 2004


I am currently having trouble upgrading from snort-2.0.4 to 
snort-2.1.0.  I am not able to start snort and I get the following error 
in the syslog:

Feb  5 13:40:21 ndsapp su(pam_unix)[31698]: session opened for user root 
by koadmin(uid=500)
Feb  5 13:40:36 ndsapp snort: Initializing daemon mode
Feb  5 13:40:36 ndsapp snort: PID path stat checked out ok, PID path set 
to /var/run/
Feb  5 13:40:36 ndsapp snort: Writing PID "31746" to file 
Feb  5 13:40:36 ndsapp snort: FATAL ERROR: 
/prod/etc/snort/snort.conf(285) => Invalid file name for IIS Unicode Map 

And when I run snort without -D flag, I get:

Starting Intrusion Database System: SNORT
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /prod/etc/snort/snort.conf

Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
ERROR: /prod/etc/snort/snort.conf(285) => Invalid file name for IIS 
Unicode Map file.
Fatal Error, Quitting..

I have already updated my config files and the rulesets.

When I try /prod/bin/snort -V:

I get
-*> Snort! <*-
Version 2.1.0 (Build 9)
By Martin Roesch (roesch at ...1935..., www.snort.org)

When I try /prod/bin/snort -T:

I get:

-*> Snort! <*-
Version 2.1.0 (Build 9)
By Martin Roesch (roesch at ...1935..., www.snort.org)
USAGE: /prod/bin/snort [-options] <filter options>
        -A         Set alert mode: fast, full, console, or none  (alert 
file alerts only)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only (no hex)
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes
        -F <bpf>   Read BPF filters from file <bpf>
        -g <gname> Run snort gid as <gname> group (or gid) after 
        -h <hn>    Home network = <hn>
        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output
        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
        -l <ld>    Log to directory <ld>
        -L <file>  Log to this tcpdump file
        -m <umask> Set umask = <umask>
        -n <cnt>   Exit after receiving <cnt> packets
        -N         Turn off logging (alerts still work)
        -o         Change the rule testing order to Pass|Alert|Log
        -O         Obfuscate the logged IP addresses
        -p         Disable promiscuous mode sniffing
        -P <snap>  Set explicit snaplen of packet (default: 1514)
        -q         Quiet. Don't show banner and status report
        -r <tf>    Read and process tcpdump file <tf>
        -R <id>    Include 'id' in snort_intf<id>.pid file name
        -s         Log alert messages to syslog
        -S <n=v>   Set rules file variable n equal to value v
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current Snort configuration
        -u <uname> Run snort uid as <uname> user (or uid) after 
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -w         Dump 802.11 management and control frames
        -X         Dump the raw packet data starting at the link layer
        -y         Include year in timestamp in the alert and log files
        -z         Set assurance mode, match on established sesions (for 
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump

Uh, you need to tell me to do something...

: No such file or directory

Does anyone have any clue how to fix this error?

Thanks in advance,

More information about the Snort-users mailing list