[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 11:10:32 EDT 2011


ok, new stuff...
seems like it went through whatever it couldnt go before and now I'm
getting this

CLI:
Segmentation fault: 11 (core dumped)
syslog:
Aug 16 15:09:30 dd kernel: pid 69543 (snort), uid 0: exited on signal
11 (core dumped)


On Tue, Aug 16, 2011 at 11:08 AM, alexus <alexus at ...11827...> wrote:
> ok, I just did make clean and I'm making it again.. let's see how it
> works this time...
>
> On Tue, Aug 16, 2011 at 10:52 AM, Russ Combs <rcombs at ...1935...> wrote:
>> Make sure that you do a make clean and then make install after you
>> reconfigure.
>>
>> On Tue, Aug 16, 2011 at 10:36 AM, alexus <alexus at ...11827...> wrote:
>>>
>>> also if I take a snort.conf that came with distro (2.9.0.5)
>>>
>>> snort stops on following
>>>
>>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>> 'global' configuration.
>>>
>>> when I tried with snort.conf that came with rules I've got same message
>>>
>>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>> 'global' configuration.
>>>
>>>
>>>
>>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>> > I have following in my snort.conf (top section)
>>> >
>>> > #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>> > --enable-perfprofiling --enable-zlib --enable-active-response
>>> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>> >
>>> > I went ahead and recompile it with all that yet I still get same results
>>> >
>>> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>>> > wrote:
>>> >> Look at the top of the snort.conf file. You should see our recommended
>>> >> compile options.
>>> >>
>>> >> Sent from my iPhone
>>> >> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>> >>
>>> >> Anything specific ?
>>> >>
>>> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>> >>> Sounds like you may need to take a look at our recommended compile
>>> >>> options
>>> >>> at the top of the snort.conf in the etc/ directory.
>>> >>>
>>> >>> Check that out.
>>> >>>
>>> >>> Sent from my iPhone
>>> >>>
>>> >>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>> >>>
>>> >>>> ok, done
>>> >>>> i dont have ipv6 enabled on my system so you were right as soon as i
>>> >>>> changed ipvar to var it went through that
>>> >>>> but it complain on something else...
>>> >>>>
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>> >>>> Aug 16 00:16:41 dd snort[22515]:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>> >>>> "/usr/local/etc/snort.conf"
>>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
>>> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>> >>>> Aug 16 00:16:41 dd snort[22515]:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
>>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>> >>>> Aug 16 00:16:41 dd snort[22515]:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>> >>>> Aug 16 00:16:41 dd snort[22515]:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>> >>>> Aug 16 00:16:41 dd snort[22515]:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>> >>>> Aug 16 00:16:41 dd snort[22515]:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>> >>>> enabled
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
>>> >>>> from /usr/local/lib/snort_dynamicrules...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>> >>>> detection libs from /usr/local/lib/snort_dynamicrules
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>> >>>> libs
>>> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>>
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>>
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>> >>>> library
>>> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>> >>>> (max_active_responses 2)
>>> >>>>
>>> >>>>
>>> >>>> # Target-Based stateful inspection/stream reassembly. For more
>>> >>>> inforation, see README.stream5
>>> >>>> preprocessor stream5_global: track_tcp yes, \
>>> >>>> track_udp yes, \
>>> >>>> track_icmp no, \
>>> >>>> max_tcp 262144, \
>>> >>>> max_udp 131072, \
>>> >>>> max_active_responses 2, \
>>> >>>> min_response_seconds 5
>>> >>>>
>>> >>>> for whatever reason(s) now it doesnt like this line:
>>> >>>>
>>> >>>> min_response_seconds 5
>>> >>>>
>>> >>>> or according to syslog line
>>> >>>>
>>> >>>> max_active_responses 2, \
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>> >>>> <wkitty42 at ...14940...>
>>> >>>> wrote:
>>> >>>>> On 8/15/2011 17:15, alexus wrote:
>>> >>>>>> line 45 of /usr/local/etc/snort.conf states:
>>> >>>>>>
>>> >>>>>> ipvar HOME_NET [64.237.55.65/27]
>>> >>>>>>
>>> >>>>>> I dont understand why it's complaining ...
>>> >>>>>
>>> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in
>>> >>>>> your
>>> >>>>> snort
>>> >>>>> compile, it won't work... use var instead of ipvar...
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> ------------------------------------------------------------------------------
>>> >>>>> uberSVN's rich system and user administration capabilities and model
>>> >>>>> configuration take the hassle out of deploying and managing
>>> >>>>> Subversion
>>> >>>>> and
>>> >>>>> the tools developers use with it. Learn more about uberSVN and get a
>>> >>>>> free
>>> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>> >>>>> _______________________________________________
>>> >>>>> Snort-users mailing list
>>> >>>>> Snort-users at lists.sourceforge.net
>>> >>>>> Go to this URL to change user options or unsubscribe:
>>> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >>>>> Snort-users list archive:
>>> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >>>>>
>>> >>>>> Please see http://www.snort.org/docs for documentation
>>> >>>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> --
>>> >>>> http://alexus.org/
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> ------------------------------------------------------------------------------
>>> >>>> uberSVN's rich system and user administration capabilities and model
>>> >>>> configuration take the hassle out of deploying and managing
>>> >>>> Subversion
>>> >>>> and
>>> >>>> the tools developers use with it. Learn more about uberSVN and get a
>>> >>>> free
>>> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>> >>>> _______________________________________________
>>> >>>> Snort-users mailing list
>>> >>>> Snort-users at lists.sourceforge.net
>>> >>>> Go to this URL to change user options or unsubscribe:
>>> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> >>>> Snort-users list archive:
>>> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >>>>
>>> >>>> Please see http://www.snort.org/docs for documentation
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > http://alexus.org/
>>> >
>>>
>>>
>>>
>>> --
>>> http://alexus.org/
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> uberSVN's rich system and user administration capabilities and model
>>> configuration take the hassle out of deploying and managing Subversion and
>>> the tools developers use with it. Learn more about uberSVN and get a free
>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>
>
>
>
> --
> http://alexus.org/
>



-- 
http://alexus.org/




More information about the Snort-users mailing list