[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Mon Aug 15 20:20:31 EDT 2011


ok, done
i dont have ipv6 enabled on my system so you were right as soon as i
changed ipvar to var it went through that
but it complain on something else...

Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]:         --== Initializing Snort ==--
Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
Aug 16 00:16:41 dd snort[22515]: Parsing Rules file "/usr/local/etc/snort.conf"
Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]:  [ 80:81 311 591 593 901 1220 1414
1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]:  [ 0:79 81:65535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]:  [ 1024:65535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]:  [ 22 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]:  [ 21 2100 3535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: Detection:
Aug 16 00:16:41 dd snort[22515]:    Search-Method = AC-Full-Q
Aug 16 00:16:41 dd snort[22515]:     Split Any/Any group = enabled
Aug 16 00:16:41 dd snort[22515]:     Search-Method-Optimizations = enabled
Aug 16 00:16:41 dd snort[22515]:     Maximum pattern length = 20
Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
from /usr/local/lib/snort_dynamicrules...
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Finished Loading all dynamic
detection libs from /usr/local/lib/snort_dynamicrules
Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
from /usr/local/lib/snort_dynamicpreprocessor/...
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]:   Finished Loading all dynamic
preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
Aug 16 00:16:41 dd snort[22515]:     Max frags: 65536
Aug 16 00:16:41 dd snort[22515]:     Fragment memory cap: 4194304 bytes
Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
Aug 16 00:16:41 dd snort[22515]:     Target-based policy: WINDOWS
Aug 16 00:16:41 dd snort[22515]:     Fragment timeout: 180 seconds
Aug 16 00:16:41 dd snort[22515]:     Fragment min_ttl:   1
Aug 16 00:16:41 dd snort[22515]:     Fragment Problems: 1
Aug 16 00:16:41 dd snort[22515]:     Overlap Limit:     10
Aug 16 00:16:41 dd snort[22515]:     Min fragment Length:     100
Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
/usr/local/etc/snort.conf(246) => Unknown Stream5 global option
(max_active_responses 2)


# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

for whatever reason(s) now it doesnt like this line:

   min_response_seconds 5

or according to syslog line

   max_active_responses 2, \



On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 8/15/2011 17:15, alexus wrote:
>> line 45 of /usr/local/etc/snort.conf states:
>>
>> ipvar HOME_NET [64.237.55.65/27]
>>
>> I dont understand why it's complaining ...
>
> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your snort
> compile, it won't work... use var instead of ipvar...
>
>
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model
> configuration take the hassle out of deploying and managing Subversion and
> the tools developers use with it. Learn more about uberSVN and get a free
> download at:  http://p.sf.net/sfu/wandisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>



-- 
http://alexus.org/




More information about the Snort-users mailing list