[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 10:36:51 EDT 2011


also if I take a snort.conf that came with distro (2.9.0.5)

snort stops on following

Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
/usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
'global' configuration.

when I tried with snort.conf that came with rules I've got same message

Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
/usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
'global' configuration.



On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
> I have following in my snort.conf (top section)
>
> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
> --enable-perfprofiling --enable-zlib --enable-active-response
> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>
> I went ahead and recompile it with all that yet I still get same results
>
> On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...> wrote:
>> Look at the top of the snort.conf file. You should see our recommended
>> compile options.
>>
>> Sent from my iPhone
>> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>
>> Anything specific ?
>>
>> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>> Sounds like you may need to take a look at our recommended compile options
>>> at the top of the snort.conf in the etc/ directory.
>>>
>>> Check that out.
>>>
>>> Sent from my iPhone
>>>
>>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>
>>>> ok, done
>>>> i dont have ipv6 enabled on my system so you were right as soon as i
>>>> changed ipvar to var it went through that
>>>> but it complain on something else...
>>>>
>>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>> Aug 16 00:16:41 dd snort[22515]:
>>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>> "/usr/local/etc/snort.conf"
>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
>>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>>> Aug 16 00:16:41 dd snort[22515]:
>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
>>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>> Aug 16 00:16:41 dd snort[22515]:
>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>> Aug 16 00:16:41 dd snort[22515]:
>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>> Aug 16 00:16:41 dd snort[22515]:
>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>> Aug 16 00:16:41 dd snort[22515]:
>>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled
>>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
>>>> from /usr/local/lib/snort_dynamicrules...
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
>>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library
>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>> library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>> (max_active_responses 2)
>>>>
>>>>
>>>> # Target-Based stateful inspection/stream reassembly. For more
>>>> inforation, see README.stream5
>>>> preprocessor stream5_global: track_tcp yes, \
>>>> track_udp yes, \
>>>> track_icmp no, \
>>>> max_tcp 262144, \
>>>> max_udp 131072, \
>>>> max_active_responses 2, \
>>>> min_response_seconds 5
>>>>
>>>> for whatever reason(s) now it doesnt like this line:
>>>>
>>>> min_response_seconds 5
>>>>
>>>> or according to syslog line
>>>>
>>>> max_active_responses 2, \
>>>>
>>>>
>>>>
>>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...>
>>>> wrote:
>>>>> On 8/15/2011 17:15, alexus wrote:
>>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>>
>>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>>
>>>>>> I dont understand why it's complaining ...
>>>>>
>>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your
>>>>> snort
>>>>> compile, it won't work... use var instead of ipvar...
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> uberSVN's rich system and user administration capabilities and model
>>>>> configuration take the hassle out of deploying and managing Subversion
>>>>> and
>>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>>> free
>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please see http://www.snort.org/docs for documentation
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://alexus.org/
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> uberSVN's rich system and user administration capabilities and model
>>>> configuration take the hassle out of deploying and managing Subversion
>>>> and
>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please see http://www.snort.org/docs for documentation
>>
>
>
>
> --
> http://alexus.org/
>



-- 
http://alexus.org/




More information about the Snort-users mailing list