[Snort-users] Fatal error when starting snort on the sensor

Jason security at ...5028...
Fri Sep 17 20:38:38 EDT 2004


Jaun,

I suspect that your editor is inserting line breaks where they do not 
belong... or some other mysterious condition exists...

Is it possible for you to use a fresh snort.conf and rules files without 
having opened them in _any_ editor?

Juan Fernandez wrote:

>  
>  
> 
> Hi !!! 
> 
> 
> It seems that I just had to comment out this:
>  
> #preprocessor http_inspect_server: server 1.1.1.1 \
> 
> ports { 80 3128 8080 } \
> 
> flow_depth 0 \
> 
> ascii no \
> 
>  
> 
> but now I receive another fatal error !!!   :-(
> 
>  
> here is what I see now In /var/log/messeges:
>  
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(30):
> Duplicate classification "not-suspicious"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(31):
> Duplicate classification "unknown"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(32):
> Duplicate classification "bad-unknown"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(33):
> Duplicate classification "attempted-recon"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(34):
> Duplicate classification "successful-recon-limited"found, ignoring this line
> 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(35):
> Duplicate classification "successful-recon-largescale"found, ignoring this
> line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(36):
> Duplicate classification "attempted-dos"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(37):
> Duplicate classification "successful-dos"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(38):
> Duplicate classification "attempted-user"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(39):
> Duplicate classification "unsuccessful-user"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(40):
> Duplicate classification "successful-user"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(41):
> Duplicate classification "attempted-admin"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(42):
> Duplicate classification "successful-admin"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(46):
> Duplicate classification "rpc-portmap-decode"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(47):
> Duplicate classification "shellcode-detect"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(48):
> Duplicate classification "string-detect"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(49):
> Duplicate classification "suspicious-filename-detect"found, ignoring this
> line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(50):
> Duplicate classification "suspicious-login"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(51):
> Duplicate classification "system-call-detect"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(52):
> Duplicate classification "tcp-connection"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(53):
> Duplicate classification "trojan-activity"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(54):
> Duplicate classification "unusual-client-port-connection"found, ignoring
> this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(55):
> Duplicate classification "network-scan"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(56):
> Duplicate classification "denial-of-service"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(57):
> Duplicate classification "non-standard-protocol"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(58):
> Duplicate classification "protocol-command-decode"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(59):
> Duplicate classification "web-application-activity"found, ignoring this line
> 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(60):
> Duplicate classification "web-application-attack"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(61):
> Duplicate classification "misc-activity"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(62):
> Duplicate classification "misc-attack"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(63):
> Duplicate classification "icmp-event"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(64):
> Duplicate classification "kickass-porn"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(65):
> Duplicate classification "policy-violation"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(66):
> Duplicate classification "default-login-attempt"found, ignoring this line 
> Sep 18 00:50:17 sensjrlan snort: FATAL ERROR: Undefined variable name:
> (/etc/snort/rules/bad-traffic.rules:12): EXTERNAL_NET
>  
>  
> what to do ?
>  
> thanks very much !!!
>  
> 
> Original Message-----
> From: Esler, Joel - Contractor [mailto:joel.esler at ...9426...]
> Sent: Friday, September 17, 2004 10:13 PM
> To: Juan Fernandez
> Subject: RE: [Snort-users] Fatal error when starting snort on the sensor
> 
> 
> 
>  
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Juan Fernandez
> Sent: Friday, September 17, 2004 2:11 PM
> To: 'snort-users at lists.sourceforge.net'
> Subject: [Snort-users] Fatal error when starting snort on the sensor
> 
> 
> 
> Hi Guys!!    
> 
>  
> 
> When I start snort manually from the command line /etc/init.d/snort start I
> see that snort starts:
> 
>  
> 
> Starting Intrusion Database System: SNORT
> 
> SNORT is up and running!
> 
>  
> 
> On /var/log/messeges I see:
> 
>  
> 
> Sep 17 21:02:54 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(458) =>
> Unknown rule type: ports
> 
>  
> 
> In snort.conf the 458 line is this:
> 
>  
> 
> output database: alert, mysql, user=snort password=snort dbname=snort
> host=208.170.171.199 sensor_name=sensjrlan
> 
>  
> 
> Mysql and acid are on another server (208.170.171.199) I checked that I can
> telnet to port 3306 so what's wrong ?
> 
>  
> 
> Thanks very much!!!
> 
>  
> 
>  
> 
> 





More information about the Snort-users mailing list