[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Russ Combs rcombs at ...1935...
Tue Aug 16 11:23:25 EDT 2011


Is that happening on start up?  Might try make uninstall and then make
install.  If it still happens, then make clean, ./configure with prior
options plus --enable-debug and rerun in the debugger and send a backtrace.

You can check here for more information on that:

http://www.snort.org/snort-downloads/submit-a-bug

and as that says, in the doc/BUGS file in the source tree.

On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:

> I took from begging of snort.conf
>
> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
> --enable-decoder-preprocessor-rules --enable-ppm
> --enable-perfprofiling --enable-zlib --enable-active-response
> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>
> and I recompiled my snort with all these options, which includes zlib
>
> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
> > you need to build snort with --enable-zlib for that one
> >
> > On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
> >>
> >> also if I take a snort.conf that came with distro (2.9.0.5)
> >>
> >> snort stops on following
> >>
> >> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
> >> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
> >> 'global' configuration.
> >>
> >> when I tried with snort.conf that came with rules I've got same message
> >>
> >> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
> >> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
> >> 'global' configuration.
> >>
> >>
> >>
> >> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
> >> > I have following in my snort.conf (top section)
> >> >
> >> > #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
> >> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
> >> > --enable-perfprofiling --enable-zlib --enable-active-response
> >> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> >> >
> >> > I went ahead and recompile it with all that yet I still get same
> results
> >> >
> >> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
> >> > wrote:
> >> >> Look at the top of the snort.conf file. You should see our
> recommended
> >> >> compile options.
> >> >>
> >> >> Sent from my iPhone
> >> >> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
> >> >>
> >> >> Anything specific ?
> >> >>
> >> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
> >> >>> Sounds like you may need to take a look at our recommended compile
> >> >>> options
> >> >>> at the top of the snort.conf in the etc/ directory.
> >> >>>
> >> >>> Check that out.
> >> >>>
> >> >>> Sent from my iPhone
> >> >>>
> >> >>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
> >> >>>
> >> >>>> ok, done
> >> >>>> i dont have ipv6 enabled on my system so you were right as soon as
> i
> >> >>>> changed ipvar to var it went through that
> >> >>>> but it complain on something else...
> >> >>>>
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
> >> >>>> Aug 16 00:16:41 dd snort[22515]:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
> >> >>>> "/usr/local/etc/snort.conf"
> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
> >> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
> 8080
> >> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> >> >>>> Aug 16 00:16:41 dd snort[22515]:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
> :
> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
> >> >>>> Aug 16 00:16:41 dd snort[22515]:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
> >> >>>> Aug 16 00:16:41 dd snort[22515]:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
> >> >>>> Aug 16 00:16:41 dd snort[22515]:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
> >> >>>> Aug 16 00:16:41 dd snort[22515]:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
> >> >>>> enabled
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
> >> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
> >> >>>> from /usr/local/lib/snort_dynamicrules...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
> >> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >> >>>> detection libs from /usr/local/lib/snort_dynamicrules
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
> >> >>>> libs
> >> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>>
> >> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>>
> >> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >> >>>> library
> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
> >> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
> >> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
> >> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
> >> >>>> (max_active_responses 2)
> >> >>>>
> >> >>>>
> >> >>>> # Target-Based stateful inspection/stream reassembly. For more
> >> >>>> inforation, see README.stream5
> >> >>>> preprocessor stream5_global: track_tcp yes, \
> >> >>>> track_udp yes, \
> >> >>>> track_icmp no, \
> >> >>>> max_tcp 262144, \
> >> >>>> max_udp 131072, \
> >> >>>> max_active_responses 2, \
> >> >>>> min_response_seconds 5
> >> >>>>
> >> >>>> for whatever reason(s) now it doesnt like this line:
> >> >>>>
> >> >>>> min_response_seconds 5
> >> >>>>
> >> >>>> or according to syslog line
> >> >>>>
> >> >>>> max_active_responses 2, \
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
> >> >>>> <wkitty42 at ...14940...>
> >> >>>> wrote:
> >> >>>>> On 8/15/2011 17:15, alexus wrote:
> >> >>>>>> line 45 of /usr/local/etc/snort.conf states:
> >> >>>>>>
> >> >>>>>> ipvar HOME_NET [64.237.55.65/27]
> >> >>>>>>
> >> >>>>>> I dont understand why it's complaining ...
> >> >>>>>
> >> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
> in
> >> >>>>> your
> >> >>>>> snort
> >> >>>>> compile, it won't work... use var instead of ipvar...
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> ------------------------------------------------------------------------------
> >> >>>>> uberSVN's rich system and user administration capabilities and
> model
> >> >>>>> configuration take the hassle out of deploying and managing
> >> >>>>> Subversion
> >> >>>>> and
> >> >>>>> the tools developers use with it. Learn more about uberSVN and get
> a
> >> >>>>> free
> >> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >> >>>>> _______________________________________________
> >> >>>>> Snort-users mailing list
> >> >>>>> Snort-users at lists.sourceforge.net
> >> >>>>> Go to this URL to change user options or unsubscribe:
> >> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> >>>>> Snort-users list archive:
> >> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >>>>>
> >> >>>>> Please see http://www.snort.org/docs for documentation
> >> >>>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> --
> >> >>>> http://alexus.org/
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> ------------------------------------------------------------------------------
> >> >>>> uberSVN's rich system and user administration capabilities and
> model
> >> >>>> configuration take the hassle out of deploying and managing
> >> >>>> Subversion
> >> >>>> and
> >> >>>> the tools developers use with it. Learn more about uberSVN and get
> a
> >> >>>> free
> >> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >> >>>> _______________________________________________
> >> >>>> Snort-users mailing list
> >> >>>> Snort-users at lists.sourceforge.net
> >> >>>> Go to this URL to change user options or unsubscribe:
> >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> >>>> Snort-users list archive:
> >> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >>>>
> >> >>>> Please see http://www.snort.org/docs for documentation
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > http://alexus.org/
> >> >
> >>
> >>
> >>
> >> --
> >> http://alexus.org/
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> uberSVN's rich system and user administration capabilities and model
> >> configuration take the hassle out of deploying and managing Subversion
> and
> >> the tools developers use with it. Learn more about uberSVN and get a
> free
> >> download at:  http://p.sf.net/sfu/wandisco-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
>
>
>
> --
> http://alexus.org/
>
>
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model
> configuration take the hassle out of deploying and managing Subversion and
> the tools developers use with it. Learn more about uberSVN and get a free
> download at:  http://p.sf.net/sfu/wandisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110816/581cfa55/attachment.html>


More information about the Snort-users mailing list