[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 16:50:02 EDT 2011


so should I be using another set of rules? to get this thing going?

On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus at ...11827...> wrote:
> if that's helpful
>
> su-3.2# snort -c /usr/local/etc/snort.conf
> Running in IDS mode
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/usr/local/etc/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 ]
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> Detection:
>   Search-Method = AC-Full-Q
>    Split Any/Any group = enabled
>    Search-Method-Optimizations = enabled
>    Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>  Loading dynamic detection library
> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> done
>  Finished Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>  Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
> normalizations disabled because not inlineWARNING: icmp4
> normalizations disabled because not inlineWARNING: ip6 normalizations
> disabled because not inlineWARNING: icmp6 normalizations disabled
> because not inlineFrag3 global config:
>    Max frags: 65536
>    Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>    Target-based policy: WINDOWS
>    Fragment timeout: 180 seconds
>    Fragment min_ttl:   1
>    Fragment Problems: 1
>    Overlap Limit:     10
>    Min fragment Length:     100
> Stream5 global config:
>    Track TCP sessions: ACTIVE
>    Max TCP sessions: 8192
>    Memcap (for reassembly packet storage): 8388608
>    Track UDP sessions: INACTIVE
>    Track ICMP sessions: INACTIVE
>    Log info if session memory consumption exceeds 1048576
>    Send up to 0 active responses
> Stream5 TCP Policy config:
>    Reassembly Policy: WINDOWS
>    Timeout: 180 seconds
>    Limit on TCP Overlaps: 10
>    Maximum number of bytes to queue per session: 1048576
>    Maximum number of segs to queue per session: 2621
>    Options:
>        Require 3-Way Handshake: YES
>        3-Way Handshake Timeout: 180
>        Detect Anomalies: YES
>    Reassembly Ports:
>      21 client (Footprint)
>      22 client (Footprint)
>      23 client (Footprint)
>      25 client (Footprint)
>      42 client (Footprint)
>      53 client (Footprint)
>      79 client (Footprint)
>      80 client (Footprint) server (Footprint)
>      81 client (Footprint) server (Footprint)
>      109 client (Footprint)
>      110 client (Footprint)
>      111 client (Footprint)
>      113 client (Footprint)
>      119 client (Footprint)
>      135 client (Footprint)
>      136 client (Footprint)
>      137 client (Footprint)
>      139 client (Footprint)
>      143 client (Footprint)
>      161 client (Footprint)
> Stream5 UDP Policy config:
>    Timeout: 180 seconds
> HttpInspect Config:
>    GLOBAL CONFIG
>      Max Pipeline Requests:    0
>      Inspection Type:          STATELESS
>      Detect Proxy Usage:       NO
>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>      IIS Unicode Map Codepage: 1252
>      Max Gzip Memory: 838860
>      Max Gzip Sessions: 6
>      Gzip Compress Depth: 65535
>      Gzip Decompress Depth: 65535
>    DEFAULT SERVER CONFIG:
>      Server profile: All
>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
> 8243 8280 8888 9090 9091 9443 9999 11371
>      Server Flow Depth: 0
>      Client Flow Depth: 0
>      Max Chunk Length: 500000
>      Max Header Field Length: 750
>      Max Number Header Fields: 100
>      Inspect Pipeline Requests: YES
>      URI Discovery Strict Mode: NO
>      Allow Proxy Usage: NO
>      Disable Alerting: NO
>      Oversize Dir Length: 500
>      Only inspect URI: NO
>      Normalize HTTP Headers: NO
>      Inspect HTTP Cookies: YES
>      Inspect HTTP Responses: YES
>      Extract Gzip from responses: YES
>      Unlimited decompression of gzip data from responses: YES
>      Normalize HTTP Cookies: NO
>      Enable XFF and True Client IP: NO
>      Extended ASCII code support in URI: NO
>      Ascii: YES alert: NO
>      Double Decoding: YES alert: NO
>      %U Encoding: YES alert: YES
>      Bare Byte: YES alert: NO
>      Base36: OFF
>      UTF 8: YES alert: NO
>      IIS Unicode: YES alert: NO
>      Multiple Slash: YES alert: NO
>      IIS Backslash: YES alert: NO
>      Directory Traversal: YES alert: NO
>      Web Root Traversal: YES alert: NO
>      Apache WhiteSpace: YES alert: NO
>      IIS Delimiter: YES alert: NO
>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
> 32776 32777 32778 32779
>    alert_fragments: INACTIVE
>    alert_large_fragments: INACTIVE
>    alert_incomplete: INACTIVE
>    alert_multiple_requests: INACTIVE
> Segmentation fault: 11 (core dumped)
> su-3.2#
>
>
> On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus at ...11827...> wrote:
>> sorry pressed send before completing email...
>>
>> so i recompiled it with --enable-debug how do you want me to re-run it?
>>
>> I think some rules screwing it up, because when I run it as snort -Ds
>> it runs by itself...
>>
>> On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus at ...11827...> wrote:
>>> yes it happened right on the start up...
>>>
>>> this is me doing uninstall...
>>>
>>> su-3.2# make uninstall
>>> Making uninstall in src
>>> Making uninstall in sfutil
>>> Making uninstall in win32
>>> Making uninstall in output-plugins
>>> Making uninstall in detection-plugins
>>> Making uninstall in dynamic-plugins
>>> Making uninstall in sf_engine
>>> Making uninstall in examples
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicengine/libsf_engine.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.la
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so.0
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>> Making uninstall in sf_preproc_example
>>> Making uninstall in preprocessors
>>> Making uninstall in HttpInspect
>>> Making uninstall in include
>>> Making uninstall in utils
>>> Making uninstall in user_interface
>>> Making uninstall in session_inspection
>>> Making uninstall in mode_inspection
>>> Making uninstall in anomaly_detection
>>> Making uninstall in event_output
>>> Making uninstall in server
>>> Making uninstall in client
>>> Making uninstall in normalization
>>> Making uninstall in Stream5
>>> Making uninstall in parser
>>> Making uninstall in dynamic-preprocessors
>>> Making uninstall in libs
>>> Making uninstall in ftptelnet
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>> Making uninstall in smtp
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>> Making uninstall in ssh
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>> Making uninstall in dns
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>> Making uninstall in ssl
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>> Making uninstall in dcerpc2
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>> Making uninstall in sdf
>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
>>> libtool: uninstall: rm -f
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>> -f: not found
>>> *** Error code 127
>>>
>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>> *** Error code 1
>>>
>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>> *** Error code 1
>>>
>>> Stop in /usr/local/src/snort-2.9.0.5/src.
>>> *** Error code 1
>>>
>>> Stop in /usr/local/src/snort-2.9.0.5.
>>> su-3.2#
>>>
>>> and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)
>>>
>>> On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
>>>> Is that happening on start up?  Might try make uninstall and then make
>>>> install.  If it still happens, then make clean, ./configure with prior
>>>> options plus --enable-debug and rerun in the debugger and send a backtrace.
>>>>
>>>> You can check here for more information on that:
>>>>
>>>> http://www.snort.org/snort-downloads/submit-a-bug
>>>>
>>>> and as that says, in the doc/BUGS file in the source tree.
>>>>
>>>> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>>>>
>>>>> I took from begging of snort.conf
>>>>>
>>>>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>
>>>>> and I recompiled my snort with all these options, which includes zlib
>>>>>
>>>>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>>>>> > you need to build snort with --enable-zlib for that one
>>>>> >
>>>>> > On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>>>>> >>
>>>>> >> also if I take a snort.conf that came with distro (2.9.0.5)
>>>>> >>
>>>>> >> snort stops on following
>>>>> >>
>>>>> >> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>>>> >> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>>>> >> 'global' configuration.
>>>>> >>
>>>>> >> when I tried with snort.conf that came with rules I've got same message
>>>>> >>
>>>>> >> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>>>> >> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>>>> >> 'global' configuration.
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>>>> >> > I have following in my snort.conf (top section)
>>>>> >> >
>>>>> >> > #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>>>> >> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>>> >> > --enable-perfprofiling --enable-zlib --enable-active-response
>>>>> >> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>> >> >
>>>>> >> > I went ahead and recompile it with all that yet I still get same
>>>>> >> > results
>>>>> >> >
>>>>> >> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>>>>> >> > wrote:
>>>>> >> >> Look at the top of the snort.conf file. You should see our
>>>>> >> >> recommended
>>>>> >> >> compile options.
>>>>> >> >>
>>>>> >> >> Sent from my iPhone
>>>>> >> >> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>>>> >> >>
>>>>> >> >> Anything specific ?
>>>>> >> >>
>>>>> >> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>>>> >> >>> Sounds like you may need to take a look at our recommended compile
>>>>> >> >>> options
>>>>> >> >>> at the top of the snort.conf in the etc/ directory.
>>>>> >> >>>
>>>>> >> >>> Check that out.
>>>>> >> >>>
>>>>> >> >>> Sent from my iPhone
>>>>> >> >>>
>>>>> >> >>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>>> >> >>>
>>>>> >> >>>> ok, done
>>>>> >> >>>> i dont have ipv6 enabled on my system so you were right as soon as
>>>>> >> >>>> i
>>>>> >> >>>> changed ipvar to var it went through that
>>>>> >> >>>> but it complain on something else...
>>>>> >> >>>>
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>>> >> >>>> "/usr/local/etc/snort.conf"
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>>> >> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>>>>> >> >>>> 8080
>>>>> >> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>>>>> >> >>>> ]
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>>>>> >> >>>> :
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>>>> >> >>>> enabled
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>>> >> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>>>>> >> >>>> libs
>>>>> >> >>>> from /usr/local/lib/snort_dynamicrules...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>>> >> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>> >> >>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>>>> >> >>>> libs
>>>>> >> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>>
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>> >> >>>> library
>>>>> >> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>> >> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>>>>> >> >>>> bytes
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>>> >> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>>> >> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>>> >> >>>> (max_active_responses 2)
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> # Target-Based stateful inspection/stream reassembly. For more
>>>>> >> >>>> inforation, see README.stream5
>>>>> >> >>>> preprocessor stream5_global: track_tcp yes, \
>>>>> >> >>>> track_udp yes, \
>>>>> >> >>>> track_icmp no, \
>>>>> >> >>>> max_tcp 262144, \
>>>>> >> >>>> max_udp 131072, \
>>>>> >> >>>> max_active_responses 2, \
>>>>> >> >>>> min_response_seconds 5
>>>>> >> >>>>
>>>>> >> >>>> for whatever reason(s) now it doesnt like this line:
>>>>> >> >>>>
>>>>> >> >>>> min_response_seconds 5
>>>>> >> >>>>
>>>>> >> >>>> or according to syslog line
>>>>> >> >>>>
>>>>> >> >>>> max_active_responses 2, \
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>>>> >> >>>> <wkitty42 at ...14940...>
>>>>> >> >>>> wrote:
>>>>> >> >>>>> On 8/15/2011 17:15, alexus wrote:
>>>>> >> >>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>> >> >>>>>>
>>>>> >> >>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>> >> >>>>>>
>>>>> >> >>>>>> I dont understand why it's complaining ...
>>>>> >> >>>>>
>>>>> >> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>>>>> >> >>>>> in
>>>>> >> >>>>> your
>>>>> >> >>>>> snort
>>>>> >> >>>>> compile, it won't work... use var instead of ipvar...
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>> ------------------------------------------------------------------------------
>>>>> >> >>>>> uberSVN's rich system and user administration capabilities and
>>>>> >> >>>>> model
>>>>> >> >>>>> configuration take the hassle out of deploying and managing
>>>>> >> >>>>> Subversion
>>>>> >> >>>>> and
>>>>> >> >>>>> the tools developers use with it. Learn more about uberSVN and
>>>>> >> >>>>> get a
>>>>> >> >>>>> free
>>>>> >> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>> >> >>>>> _______________________________________________
>>>>> >> >>>>> Snort-users mailing list
>>>>> >> >>>>> Snort-users at lists.sourceforge.net
>>>>> >> >>>>> Go to this URL to change user options or unsubscribe:
>>>>> >> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> >> >>>>> Snort-users list archive:
>>>>> >> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >> >>>>>
>>>>> >> >>>>> Please see http://www.snort.org/docs for documentation
>>>>> >> >>>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> --
>>>>> >> >>>> http://alexus.org/
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> ------------------------------------------------------------------------------
>>>>> >> >>>> uberSVN's rich system and user administration capabilities and
>>>>> >> >>>> model
>>>>> >> >>>> configuration take the hassle out of deploying and managing
>>>>> >> >>>> Subversion
>>>>> >> >>>> and
>>>>> >> >>>> the tools developers use with it. Learn more about uberSVN and get
>>>>> >> >>>> a
>>>>> >> >>>> free
>>>>> >> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>> >> >>>> _______________________________________________
>>>>> >> >>>> Snort-users mailing list
>>>>> >> >>>> Snort-users at lists.sourceforge.net
>>>>> >> >>>> Go to this URL to change user options or unsubscribe:
>>>>> >> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> >> >>>> Snort-users list archive:
>>>>> >> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >> >>>>
>>>>> >> >>>> Please see http://www.snort.org/docs for documentation
>>>>> >> >>
>>>>> >> >
>>>>> >> >
>>>>> >> >
>>>>> >> > --
>>>>> >> > http://alexus.org/
>>>>> >> >
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> http://alexus.org/
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> ------------------------------------------------------------------------------
>>>>> >> uberSVN's rich system and user administration capabilities and model
>>>>> >> configuration take the hassle out of deploying and managing Subversion
>>>>> >> and
>>>>> >> the tools developers use with it. Learn more about uberSVN and get a
>>>>> >> free
>>>>> >> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>> >> _______________________________________________
>>>>> >> Snort-users mailing list
>>>>> >> Snort-users at lists.sourceforge.net
>>>>> >> Go to this URL to change user options or unsubscribe:
>>>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> >> Snort-users list archive:
>>>>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> >>
>>>>> >> Please visit http://blog.snort.org to stay current on all the latest
>>>>> >> Snort
>>>>> >> news!
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://alexus.org/
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> uberSVN's rich system and user administration capabilities and model
>>>>> configuration take the hassle out of deploying and managing Subversion and
>>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>>> news!
>>>>
>>>
>>>
>>>
>>> --
>>> http://alexus.org/
>>>
>>
>>
>>
>> --
>> http://alexus.org/
>>
>
>
>
> --
> http://alexus.org/
>



-- 
http://alexus.org/




More information about the Snort-users mailing list