[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Mon Aug 15 20:59:22 EDT 2011


Sounds like you may need to take a look at our recommended compile options at the top of the snort.conf in the etc/ directory. 

Check that out.  

Sent from my iPhone

On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:

> ok, done
> i dont have ipv6 enabled on my system so you were right as soon as i
> changed ipvar to var it went through that
> but it complain on something else...
> 
> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
> Aug 16 00:16:41 dd snort[22515]:
> Aug 16 00:16:41 dd snort[22515]:         --== Initializing Snort ==--
> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file "/usr/local/etc/snort.conf"
> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
> Aug 16 00:16:41 dd snort[22515]:  [ 80:81 311 591 593 901 1220 1414
> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> Aug 16 00:16:41 dd snort[22515]:
> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
> Aug 16 00:16:41 dd snort[22515]:  [ 0:79 81:65535 ]
> Aug 16 00:16:41 dd snort[22515]:
> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
> Aug 16 00:16:41 dd snort[22515]:  [ 1024:65535 ]
> Aug 16 00:16:41 dd snort[22515]:
> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
> Aug 16 00:16:41 dd snort[22515]:  [ 22 ]
> Aug 16 00:16:41 dd snort[22515]:
> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
> Aug 16 00:16:41 dd snort[22515]:  [ 21 2100 3535 ]
> Aug 16 00:16:41 dd snort[22515]:
> Aug 16 00:16:41 dd snort[22515]: Detection:
> Aug 16 00:16:41 dd snort[22515]:    Search-Method = AC-Full-Q
> Aug 16 00:16:41 dd snort[22515]:     Split Any/Any group = enabled
> Aug 16 00:16:41 dd snort[22515]:     Search-Method-Optimizations = enabled
> Aug 16 00:16:41 dd snort[22515]:     Maximum pattern length = 20
> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
> from /usr/local/lib/snort_dynamicrules...
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic detection library
> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Finished Loading all dynamic
> detection libs from /usr/local/lib/snort_dynamicrules
> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
> from /usr/local/lib/snort_dynamicpreprocessor/...
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Loading dynamic preprocessor
> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
> Aug 16 00:16:41 dd snort[22515]: done
> Aug 16 00:16:41 dd snort[22515]:   Finished Loading all dynamic
> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
> Aug 16 00:16:41 dd snort[22515]:     Max frags: 65536
> Aug 16 00:16:41 dd snort[22515]:     Fragment memory cap: 4194304 bytes
> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
> Aug 16 00:16:41 dd snort[22515]:     Target-based policy: WINDOWS
> Aug 16 00:16:41 dd snort[22515]:     Fragment timeout: 180 seconds
> Aug 16 00:16:41 dd snort[22515]:     Fragment min_ttl:   1
> Aug 16 00:16:41 dd snort[22515]:     Fragment Problems: 1
> Aug 16 00:16:41 dd snort[22515]:     Overlap Limit:     10
> Aug 16 00:16:41 dd snort[22515]:     Min fragment Length:     100
> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
> (max_active_responses 2)
> 
> 
> # Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5
> preprocessor stream5_global: track_tcp yes, \
>   track_udp yes, \
>   track_icmp no, \
>   max_tcp 262144, \
>   max_udp 131072, \
>   max_active_responses 2, \
>   min_response_seconds 5
> 
> for whatever reason(s) now it doesnt like this line:
> 
>   min_response_seconds 5
> 
> or according to syslog line
> 
>   max_active_responses 2, \
> 
> 
> 
> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> On 8/15/2011 17:15, alexus wrote:
>>> line 45 of /usr/local/etc/snort.conf states:
>>> 
>>> ipvar HOME_NET [64.237.55.65/27]
>>> 
>>> I dont understand why it's complaining ...
>> 
>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your snort
>> compile, it won't work... use var instead of ipvar...
>> 
>> 
>> ------------------------------------------------------------------------------
>> uberSVN's rich system and user administration capabilities and model
>> configuration take the hassle out of deploying and managing Subversion and
>> the tools developers use with it. Learn more about uberSVN and get a free
>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please see http://www.snort.org/docs for documentation
>> 
> 
> 
> 
> -- 
> http://alexus.org/
> 
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model 
> configuration take the hassle out of deploying and managing Subversion and 
> the tools developers use with it. Learn more about uberSVN and get a free 
> download at:  http://p.sf.net/sfu/wandisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation




More information about the Snort-users mailing list