[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Mon Aug 15 22:22:27 EDT 2011


Look at the top of the snort.conf file. You should see our recommended compile options.  

Sent from my iPhone

On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:

> Anything specific ?
> 
> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
> > Sounds like you may need to take a look at our recommended compile options at the top of the snort.conf in the etc/ directory. 
> > 
> > Check that out. 
> > 
> > Sent from my iPhone
> > 
> > On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
> > 
> >> ok, done
> >> i dont have ipv6 enabled on my system so you were right as soon as i
> >> changed ipvar to var it went through that
> >> but it complain on something else...
> >> 
> >> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
> >> Aug 16 00:16:41 dd snort[22515]:
> >> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
> >> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
> >> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
> >> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
> >> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file "/usr/local/etc/snort.conf"
> >> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
> >> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
> >> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
> >> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> >> Aug 16 00:16:41 dd snort[22515]:
> >> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
> >> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
> >> Aug 16 00:16:41 dd snort[22515]:
> >> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
> >> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
> >> Aug 16 00:16:41 dd snort[22515]:
> >> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
> >> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
> >> Aug 16 00:16:41 dd snort[22515]:
> >> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
> >> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
> >> Aug 16 00:16:41 dd snort[22515]:
> >> Aug 16 00:16:41 dd snort[22515]: Detection:
> >> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
> >> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
> >> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled
> >> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
> >> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
> >> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
> >> from /usr/local/lib/snort_dynamicrules...
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
> >> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >> detection libs from /usr/local/lib/snort_dynamicrules
> >> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
> >> from /usr/local/lib/snort_dynamicpreprocessor/...
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
> >> Aug 16 00:16:41 dd snort[22515]: done
> >> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
> >> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
> >> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
> >> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
> >> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
> >> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
> >> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
> >> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
> >> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
> >> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
> >> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
> >> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
> >> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
> >> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
> >> (max_active_responses 2)
> >> 
> >> 
> >> # Target-Based stateful inspection/stream reassembly. For more
> >> inforation, see README.stream5
> >> preprocessor stream5_global: track_tcp yes, \
> >> track_udp yes, \
> >> track_icmp no, \
> >> max_tcp 262144, \
> >> max_udp 131072, \
> >> max_active_responses 2, \
> >> min_response_seconds 5
> >> 
> >> for whatever reason(s) now it doesnt like this line:
> >> 
> >> min_response_seconds 5
> >> 
> >> or according to syslog line
> >> 
> >> max_active_responses 2, \
> >> 
> >> 
> >> 
> >> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> >>> On 8/15/2011 17:15, alexus wrote:
> >>>> line 45 of /usr/local/etc/snort.conf states:
> >>>> 
> >>>> ipvar HOME_NET [64.237.55.65/27]
> >>>> 
> >>>> I dont understand why it's complaining ...
> >>> 
> >>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your snort
> >>> compile, it won't work... use var instead of ipvar...
> >>> 
> >>> 
> >>> ------------------------------------------------------------------------------
> >>> uberSVN's rich system and user administration capabilities and model
> >>> configuration take the hassle out of deploying and managing Subversion and
> >>> the tools developers use with it. Learn more about uberSVN and get a free
> >>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>> 
> >>> Please see http://www.snort.org/docs for documentation
> >>> 
> >> 
> >> 
> >> 
> >> -- 
> >> http://alexus.org/
> >> 
> >> ------------------------------------------------------------------------------
> >> uberSVN's rich system and user administration capabilities and model 
> >> configuration take the hassle out of deploying and managing Subversion and 
> >> the tools developers use with it. Learn more about uberSVN and get a free 
> >> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> 
> >> Please see http://www.snort.org/docs for documentation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110815/bc99da73/attachment.html>


More information about the Snort-users mailing list