[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 01:06:55 EDT 2011


I have following in my snort.conf (top section)

#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
--enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-zlib --enable-active-response
--enable-normalizer --enable-reload --enable-react --enable-flexresp3

I went ahead and recompile it with all that yet I still get same results

On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...> wrote:
> Look at the top of the snort.conf file. You should see our recommended
> compile options.
>
> Sent from my iPhone
> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>
> Anything specific ?
>
> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>> Sounds like you may need to take a look at our recommended compile options
>> at the top of the snort.conf in the etc/ directory.
>>
>> Check that out.
>>
>> Sent from my iPhone
>>
>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>
>>> ok, done
>>> i dont have ipv6 enabled on my system so you were right as soon as i
>>> changed ipvar to var it went through that
>>> but it complain on something else...
>>>
>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>> Aug 16 00:16:41 dd snort[22515]:
>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>> "/usr/local/etc/snort.conf"
>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>> Aug 16 00:16:41 dd snort[22515]:
>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>> Aug 16 00:16:41 dd snort[22515]:
>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>> Aug 16 00:16:41 dd snort[22515]:
>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>> Aug 16 00:16:41 dd snort[22515]:
>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>> Aug 16 00:16:41 dd snort[22515]:
>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled
>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
>>> from /usr/local/lib/snort_dynamicrules...
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>> detection libs from /usr/local/lib/snort_dynamicrules
>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library
>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>> Aug 16 00:16:41 dd snort[22515]: done
>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>> (max_active_responses 2)
>>>
>>>
>>> # Target-Based stateful inspection/stream reassembly. For more
>>> inforation, see README.stream5
>>> preprocessor stream5_global: track_tcp yes, \
>>> track_udp yes, \
>>> track_icmp no, \
>>> max_tcp 262144, \
>>> max_udp 131072, \
>>> max_active_responses 2, \
>>> min_response_seconds 5
>>>
>>> for whatever reason(s) now it doesnt like this line:
>>>
>>> min_response_seconds 5
>>>
>>> or according to syslog line
>>>
>>> max_active_responses 2, \
>>>
>>>
>>>
>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...>
>>> wrote:
>>>> On 8/15/2011 17:15, alexus wrote:
>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>
>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>
>>>>> I dont understand why it's complaining ...
>>>>
>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your
>>>> snort
>>>> compile, it won't work... use var instead of ipvar...
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> uberSVN's rich system and user administration capabilities and model
>>>> configuration take the hassle out of deploying and managing Subversion
>>>> and
>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>> free
>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please see http://www.snort.org/docs for documentation
>>>>
>>>
>>>
>>>
>>> --
>>> http://alexus.org/
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> uberSVN's rich system and user administration capabilities and model
>>> configuration take the hassle out of deploying and managing Subversion
>>> and
>>> the tools developers use with it. Learn more about uberSVN and get a free
>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please see http://www.snort.org/docs for documentation
>



-- 
http://alexus.org/




More information about the Snort-users mailing list