[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Mon Aug 15 21:32:41 EDT 2011


Anything specific ?
On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
> Sounds like you may need to take a look at our recommended compile options
at the top of the snort.conf in the etc/ directory.
>
> Check that out.
>
> Sent from my iPhone
>
> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>
>> ok, done
>> i dont have ipv6 enabled on my system so you were right as soon as i
>> changed ipvar to var it went through that
>> but it complain on something else...
>>
>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>> Aug 16 00:16:41 dd snort[22515]:
>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
"/usr/local/etc/snort.conf"
>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>> Aug 16 00:16:41 dd snort[22515]:
>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>> Aug 16 00:16:41 dd snort[22515]:
>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>> Aug 16 00:16:41 dd snort[22515]:
>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>> Aug 16 00:16:41 dd snort[22515]:
>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>> Aug 16 00:16:41 dd snort[22515]:
>> Aug 16 00:16:41 dd snort[22515]: Detection:
>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled
>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
>> from /usr/local/lib/snort_dynamicrules...
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>> detection libs from /usr/local/lib/snort_dynamicrules
>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
>> from /usr/local/lib/snort_dynamicpreprocessor/...
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library
/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>> Aug 16 00:16:41 dd snort[22515]: done
>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>> (max_active_responses 2)
>>
>>
>> # Target-Based stateful inspection/stream reassembly. For more
>> inforation, see README.stream5
>> preprocessor stream5_global: track_tcp yes, \
>> track_udp yes, \
>> track_icmp no, \
>> max_tcp 262144, \
>> max_udp 131072, \
>> max_active_responses 2, \
>> min_response_seconds 5
>>
>> for whatever reason(s) now it doesnt like this line:
>>
>> min_response_seconds 5
>>
>> or according to syslog line
>>
>> max_active_responses 2, \
>>
>>
>>
>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...>
wrote:
>>> On 8/15/2011 17:15, alexus wrote:
>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>
>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>
>>>> I dont understand why it's complaining ...
>>>
>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your
snort
>>> compile, it won't work... use var instead of ipvar...
>>>
>>>
>>>
------------------------------------------------------------------------------
>>> uberSVN's rich system and user administration capabilities and model
>>> configuration take the hassle out of deploying and managing Subversion
and
>>> the tools developers use with it. Learn more about uberSVN and get a
free
>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please see http://www.snort.org/docs for documentation
>>>
>>
>>
>>
>> --
>> http://alexus.org/
>>
>>
------------------------------------------------------------------------------
>> uberSVN's rich system and user administration capabilities and model
>> configuration take the hassle out of deploying and managing Subversion
and
>> the tools developers use with it. Learn more about uberSVN and get a free

>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110815/dea746e1/attachment.html>


More information about the Snort-users mailing list