[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Russ Combs rcombs at ...1935...
Tue Aug 16 10:52:51 EDT 2011


Make sure that you do a make clean and then make install after you
reconfigure.

On Tue, Aug 16, 2011 at 10:36 AM, alexus <alexus at ...11827...> wrote:

> also if I take a snort.conf that came with distro (2.9.0.5)
>
> snort stops on following
>
> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
> 'global' configuration.
>
> when I tried with snort.conf that came with rules I've got same message
>
> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
> 'global' configuration.
>
>
>
> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
> > I have following in my snort.conf (top section)
> >
> > #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
> > --enable-perfprofiling --enable-zlib --enable-active-response
> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> >
> > I went ahead and recompile it with all that yet I still get same results
> >
> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
> wrote:
> >> Look at the top of the snort.conf file. You should see our recommended
> >> compile options.
> >>
> >> Sent from my iPhone
> >> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
> >>
> >> Anything specific ?
> >>
> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
> >>> Sounds like you may need to take a look at our recommended compile
> options
> >>> at the top of the snort.conf in the etc/ directory.
> >>>
> >>> Check that out.
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
> >>>
> >>>> ok, done
> >>>> i dont have ipv6 enabled on my system so you were right as soon as i
> >>>> changed ipvar to var it went through that
> >>>> but it complain on something else...
> >>>>
> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
> >>>> "/usr/local/etc/snort.conf"
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled
> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
> >>>> from /usr/local/lib/snort_dynamicrules...
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >>>> detection libs from /usr/local/lib/snort_dynamicrules
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
> >>>> (max_active_responses 2)
> >>>>
> >>>>
> >>>> # Target-Based stateful inspection/stream reassembly. For more
> >>>> inforation, see README.stream5
> >>>> preprocessor stream5_global: track_tcp yes, \
> >>>> track_udp yes, \
> >>>> track_icmp no, \
> >>>> max_tcp 262144, \
> >>>> max_udp 131072, \
> >>>> max_active_responses 2, \
> >>>> min_response_seconds 5
> >>>>
> >>>> for whatever reason(s) now it doesnt like this line:
> >>>>
> >>>> min_response_seconds 5
> >>>>
> >>>> or according to syslog line
> >>>>
> >>>> max_active_responses 2, \
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 at ...14940...
> >
> >>>> wrote:
> >>>>> On 8/15/2011 17:15, alexus wrote:
> >>>>>> line 45 of /usr/local/etc/snort.conf states:
> >>>>>>
> >>>>>> ipvar HOME_NET [64.237.55.65/27]
> >>>>>>
> >>>>>> I dont understand why it's complaining ...
> >>>>>
> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in
> your
> >>>>> snort
> >>>>> compile, it won't work... use var instead of ipvar...
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> ------------------------------------------------------------------------------
> >>>>> uberSVN's rich system and user administration capabilities and model
> >>>>> configuration take the hassle out of deploying and managing
> Subversion
> >>>>> and
> >>>>> the tools developers use with it. Learn more about uberSVN and get a
> >>>>> free
> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>>
> >>>>> Please see http://www.snort.org/docs for documentation
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> http://alexus.org/
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> uberSVN's rich system and user administration capabilities and model
> >>>> configuration take the hassle out of deploying and managing Subversion
> >>>> and
> >>>> the tools developers use with it. Learn more about uberSVN and get a
> free
> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users at lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>> Please see http://www.snort.org/docs for documentation
> >>
> >
> >
> >
> > --
> > http://alexus.org/
> >
>
>
>
> --
> http://alexus.org/
>
>
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model
> configuration take the hassle out of deploying and managing Subversion and
> the tools developers use with it. Learn more about uberSVN and get a free
> download at:  http://p.sf.net/sfu/wandisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110816/23b84e8b/attachment.html>


More information about the Snort-users mailing list