[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 11:08:43 EDT 2011


ok, I just did make clean and I'm making it again.. let's see how it
works this time...

On Tue, Aug 16, 2011 at 10:52 AM, Russ Combs <rcombs at ...1935...> wrote:
> Make sure that you do a make clean and then make install after you
> reconfigure.
>
> On Tue, Aug 16, 2011 at 10:36 AM, alexus <alexus at ...11827...> wrote:
>>
>> also if I take a snort.conf that came with distro (2.9.0.5)
>>
>> snort stops on following
>>
>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>> 'global' configuration.
>>
>> when I tried with snort.conf that came with rules I've got same message
>>
>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>> 'global' configuration.
>>
>>
>>
>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>> > I have following in my snort.conf (top section)
>> >
>> > #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>> > --enable-perfprofiling --enable-zlib --enable-active-response
>> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>> >
>> > I went ahead and recompile it with all that yet I still get same results
>> >
>> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>> > wrote:
>> >> Look at the top of the snort.conf file. You should see our recommended
>> >> compile options.
>> >>
>> >> Sent from my iPhone
>> >> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>> >>
>> >> Anything specific ?
>> >>
>> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>> >>> Sounds like you may need to take a look at our recommended compile
>> >>> options
>> >>> at the top of the snort.conf in the etc/ directory.
>> >>>
>> >>> Check that out.
>> >>>
>> >>> Sent from my iPhone
>> >>>
>> >>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>> >>>
>> >>>> ok, done
>> >>>> i dont have ipv6 enabled on my system so you were right as soon as i
>> >>>> changed ipvar to var it went through that
>> >>>> but it complain on something else...
>> >>>>
>> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>> >>>> "/usr/local/etc/snort.conf"
>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
>> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>> >>>> enabled
>> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
>> >>>> from /usr/local/lib/snort_dynamicrules...
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>> >>>> detection libs from /usr/local/lib/snort_dynamicrules
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>> >>>> libs
>> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>>
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>>
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >>>> library
>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
>> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>> >>>> (max_active_responses 2)
>> >>>>
>> >>>>
>> >>>> # Target-Based stateful inspection/stream reassembly. For more
>> >>>> inforation, see README.stream5
>> >>>> preprocessor stream5_global: track_tcp yes, \
>> >>>> track_udp yes, \
>> >>>> track_icmp no, \
>> >>>> max_tcp 262144, \
>> >>>> max_udp 131072, \
>> >>>> max_active_responses 2, \
>> >>>> min_response_seconds 5
>> >>>>
>> >>>> for whatever reason(s) now it doesnt like this line:
>> >>>>
>> >>>> min_response_seconds 5
>> >>>>
>> >>>> or according to syslog line
>> >>>>
>> >>>> max_active_responses 2, \
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>> >>>> <wkitty42 at ...14940...>
>> >>>> wrote:
>> >>>>> On 8/15/2011 17:15, alexus wrote:
>> >>>>>> line 45 of /usr/local/etc/snort.conf states:
>> >>>>>>
>> >>>>>> ipvar HOME_NET [64.237.55.65/27]
>> >>>>>>
>> >>>>>> I dont understand why it's complaining ...
>> >>>>>
>> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in
>> >>>>> your
>> >>>>> snort
>> >>>>> compile, it won't work... use var instead of ipvar...
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> ------------------------------------------------------------------------------
>> >>>>> uberSVN's rich system and user administration capabilities and model
>> >>>>> configuration take the hassle out of deploying and managing
>> >>>>> Subversion
>> >>>>> and
>> >>>>> the tools developers use with it. Learn more about uberSVN and get a
>> >>>>> free
>> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>> >>>>> _______________________________________________
>> >>>>> Snort-users mailing list
>> >>>>> Snort-users at lists.sourceforge.net
>> >>>>> Go to this URL to change user options or unsubscribe:
>> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>>>> Snort-users list archive:
>> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>>>>
>> >>>>> Please see http://www.snort.org/docs for documentation
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> http://alexus.org/
>> >>>>
>> >>>>
>> >>>>
>> >>>> ------------------------------------------------------------------------------
>> >>>> uberSVN's rich system and user administration capabilities and model
>> >>>> configuration take the hassle out of deploying and managing
>> >>>> Subversion
>> >>>> and
>> >>>> the tools developers use with it. Learn more about uberSVN and get a
>> >>>> free
>> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>> >>>> _______________________________________________
>> >>>> Snort-users mailing list
>> >>>> Snort-users at lists.sourceforge.net
>> >>>> Go to this URL to change user options or unsubscribe:
>> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>>> Snort-users list archive:
>> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>>>
>> >>>> Please see http://www.snort.org/docs for documentation
>> >>
>> >
>> >
>> >
>> > --
>> > http://alexus.org/
>> >
>>
>>
>>
>> --
>> http://alexus.org/
>>
>>
>> ------------------------------------------------------------------------------
>> uberSVN's rich system and user administration capabilities and model
>> configuration take the hassle out of deploying and managing Subversion and
>> the tools developers use with it. Learn more about uberSVN and get a free
>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>



-- 
http://alexus.org/




More information about the Snort-users mailing list