[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 11:41:35 EDT 2011


yes it happened right on the start up...

this is me doing uninstall...

su-3.2# make uninstall
Making uninstall in src
Making uninstall in sfutil
Making uninstall in win32
Making uninstall in output-plugins
Making uninstall in detection-plugins
Making uninstall in dynamic-plugins
Making uninstall in sf_engine
Making uninstall in examples
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicengine/libsf_engine.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicengine/libsf_engine.la
/usr/local/lib/snort_dynamicengine/libsf_engine.so.0
/usr/local/lib/snort_dynamicengine/libsf_engine.so
/usr/local/lib/snort_dynamicengine/libsf_engine.so
Making uninstall in sf_preproc_example
Making uninstall in preprocessors
Making uninstall in HttpInspect
Making uninstall in include
Making uninstall in utils
Making uninstall in user_interface
Making uninstall in session_inspection
Making uninstall in mode_inspection
Making uninstall in anomaly_detection
Making uninstall in event_output
Making uninstall in server
Making uninstall in client
Making uninstall in normalization
Making uninstall in Stream5
Making uninstall in parser
Making uninstall in dynamic-preprocessors
Making uninstall in libs
Making uninstall in ftptelnet
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
Making uninstall in smtp
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
Making uninstall in ssh
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
Making uninstall in dns
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
Making uninstall in ssl
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
Making uninstall in dcerpc2
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
Making uninstall in sdf
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
-f: not found
*** Error code 127

Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
*** Error code 1

Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
*** Error code 1

Stop in /usr/local/src/snort-2.9.0.5/src.
*** Error code 1

Stop in /usr/local/src/snort-2.9.0.5.
su-3.2#

and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)

On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
> Is that happening on start up?  Might try make uninstall and then make
> install.  If it still happens, then make clean, ./configure with prior
> options plus --enable-debug and rerun in the debugger and send a backtrace.
>
> You can check here for more information on that:
>
> http://www.snort.org/snort-downloads/submit-a-bug
>
> and as that says, in the doc/BUGS file in the source tree.
>
> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>
>> I took from begging of snort.conf
>>
>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>> --enable-decoder-preprocessor-rules --enable-ppm
>> --enable-perfprofiling --enable-zlib --enable-active-response
>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>
>> and I recompiled my snort with all these options, which includes zlib
>>
>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>> > you need to build snort with --enable-zlib for that one
>> >
>> > On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>> >>
>> >> also if I take a snort.conf that came with distro (2.9.0.5)
>> >>
>> >> snort stops on following
>> >>
>> >> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>> >> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>> >> 'global' configuration.
>> >>
>> >> when I tried with snort.conf that came with rules I've got same message
>> >>
>> >> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>> >> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>> >> 'global' configuration.
>> >>
>> >>
>> >>
>> >> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>> >> > I have following in my snort.conf (top section)
>> >> >
>> >> > #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>> >> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>> >> > --enable-perfprofiling --enable-zlib --enable-active-response
>> >> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>> >> >
>> >> > I went ahead and recompile it with all that yet I still get same
>> >> > results
>> >> >
>> >> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>> >> > wrote:
>> >> >> Look at the top of the snort.conf file. You should see our
>> >> >> recommended
>> >> >> compile options.
>> >> >>
>> >> >> Sent from my iPhone
>> >> >> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>> >> >>
>> >> >> Anything specific ?
>> >> >>
>> >> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>> >> >>> Sounds like you may need to take a look at our recommended compile
>> >> >>> options
>> >> >>> at the top of the snort.conf in the etc/ directory.
>> >> >>>
>> >> >>> Check that out.
>> >> >>>
>> >> >>> Sent from my iPhone
>> >> >>>
>> >> >>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>> >> >>>
>> >> >>>> ok, done
>> >> >>>> i dont have ipv6 enabled on my system so you were right as soon as
>> >> >>>> i
>> >> >>>> changed ipvar to var it went through that
>> >> >>>> but it complain on something else...
>> >> >>>>
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>> >> >>>> "/usr/local/etc/snort.conf"
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>> >> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>> >> >>>> 8080
>> >> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>> >> >>>> ]
>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>> >> >>>> :
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>> >> >>>> enabled
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>> >> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>> >> >>>> libs
>> >> >>>> from /usr/local/lib/snort_dynamicrules...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>> >> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>> >> >>>> detection libs from /usr/local/lib/snort_dynamicrules
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>> >> >>>> libs
>> >> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>>
>> >> >>>>
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>>
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>>
>> >> >>>>
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>> >> >>>> library
>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>> >> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>> >> >>>> bytes
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>> >> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>> >> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>> >> >>>> (max_active_responses 2)
>> >> >>>>
>> >> >>>>
>> >> >>>> # Target-Based stateful inspection/stream reassembly. For more
>> >> >>>> inforation, see README.stream5
>> >> >>>> preprocessor stream5_global: track_tcp yes, \
>> >> >>>> track_udp yes, \
>> >> >>>> track_icmp no, \
>> >> >>>> max_tcp 262144, \
>> >> >>>> max_udp 131072, \
>> >> >>>> max_active_responses 2, \
>> >> >>>> min_response_seconds 5
>> >> >>>>
>> >> >>>> for whatever reason(s) now it doesnt like this line:
>> >> >>>>
>> >> >>>> min_response_seconds 5
>> >> >>>>
>> >> >>>> or according to syslog line
>> >> >>>>
>> >> >>>> max_active_responses 2, \
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>> >> >>>> <wkitty42 at ...14940...>
>> >> >>>> wrote:
>> >> >>>>> On 8/15/2011 17:15, alexus wrote:
>> >> >>>>>> line 45 of /usr/local/etc/snort.conf states:
>> >> >>>>>>
>> >> >>>>>> ipvar HOME_NET [64.237.55.65/27]
>> >> >>>>>>
>> >> >>>>>> I dont understand why it's complaining ...
>> >> >>>>>
>> >> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>> >> >>>>> in
>> >> >>>>> your
>> >> >>>>> snort
>> >> >>>>> compile, it won't work... use var instead of ipvar...
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> ------------------------------------------------------------------------------
>> >> >>>>> uberSVN's rich system and user administration capabilities and
>> >> >>>>> model
>> >> >>>>> configuration take the hassle out of deploying and managing
>> >> >>>>> Subversion
>> >> >>>>> and
>> >> >>>>> the tools developers use with it. Learn more about uberSVN and
>> >> >>>>> get a
>> >> >>>>> free
>> >> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>> >> >>>>> _______________________________________________
>> >> >>>>> Snort-users mailing list
>> >> >>>>> Snort-users at lists.sourceforge.net
>> >> >>>>> Go to this URL to change user options or unsubscribe:
>> >> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >>>>> Snort-users list archive:
>> >> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >>>>>
>> >> >>>>> Please see http://www.snort.org/docs for documentation
>> >> >>>>>
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> --
>> >> >>>> http://alexus.org/
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> ------------------------------------------------------------------------------
>> >> >>>> uberSVN's rich system and user administration capabilities and
>> >> >>>> model
>> >> >>>> configuration take the hassle out of deploying and managing
>> >> >>>> Subversion
>> >> >>>> and
>> >> >>>> the tools developers use with it. Learn more about uberSVN and get
>> >> >>>> a
>> >> >>>> free
>> >> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>> >> >>>> _______________________________________________
>> >> >>>> Snort-users mailing list
>> >> >>>> Snort-users at lists.sourceforge.net
>> >> >>>> Go to this URL to change user options or unsubscribe:
>> >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >>>> Snort-users list archive:
>> >> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >>>>
>> >> >>>> Please see http://www.snort.org/docs for documentation
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > http://alexus.org/
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> http://alexus.org/
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> uberSVN's rich system and user administration capabilities and model
>> >> configuration take the hassle out of deploying and managing Subversion
>> >> and
>> >> the tools developers use with it. Learn more about uberSVN and get a
>> >> free
>> >> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort
>> >> news!
>> >
>>
>>
>>
>> --
>> http://alexus.org/
>>
>>
>> ------------------------------------------------------------------------------
>> uberSVN's rich system and user administration capabilities and model
>> configuration take the hassle out of deploying and managing Subversion and
>> the tools developers use with it. Learn more about uberSVN and get a free
>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>



-- 
http://alexus.org/




More information about the Snort-users mailing list