[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Tue Aug 16 16:59:40 EDT 2011


Can you provide your snort.conf file and OS version for us?

Joel

On Aug 16, 2011, at 4:50 PM, alexus wrote:

> so should I be using another set of rules? to get this thing going?
> 
> On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus at ...11827...> wrote:
>> if that's helpful
>> 
>> su-3.2# snort -c /usr/local/etc/snort.conf
>> Running in IDS mode
>> 
>>        --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/usr/local/etc/snort.conf"
>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
>> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>> Detection:
>>   Search-Method = AC-Full-Q
>>    Split Any/Any group = enabled
>>    Search-Method-Optimizations = enabled
>>    Maximum pattern length = 20
>> Tagged Packet Limit: 256
>> Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>  Loading dynamic detection library
>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>> done
>>  Finished Loading all dynamic detection libs from
>> /usr/local/lib/snort_dynamicrules
>> Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/...
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>  Finished Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/
>> Log directory = /var/log/snort
>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>> normalizations disabled because not inlineWARNING: icmp4
>> normalizations disabled because not inlineWARNING: ip6 normalizations
>> disabled because not inlineWARNING: icmp6 normalizations disabled
>> because not inlineFrag3 global config:
>>    Max frags: 65536
>>    Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>    Target-based policy: WINDOWS
>>    Fragment timeout: 180 seconds
>>    Fragment min_ttl:   1
>>    Fragment Problems: 1
>>    Overlap Limit:     10
>>    Min fragment Length:     100
>> Stream5 global config:
>>    Track TCP sessions: ACTIVE
>>    Max TCP sessions: 8192
>>    Memcap (for reassembly packet storage): 8388608
>>    Track UDP sessions: INACTIVE
>>    Track ICMP sessions: INACTIVE
>>    Log info if session memory consumption exceeds 1048576
>>    Send up to 0 active responses
>> Stream5 TCP Policy config:
>>    Reassembly Policy: WINDOWS
>>    Timeout: 180 seconds
>>    Limit on TCP Overlaps: 10
>>    Maximum number of bytes to queue per session: 1048576
>>    Maximum number of segs to queue per session: 2621
>>    Options:
>>        Require 3-Way Handshake: YES
>>        3-Way Handshake Timeout: 180
>>        Detect Anomalies: YES
>>    Reassembly Ports:
>>      21 client (Footprint)
>>      22 client (Footprint)
>>      23 client (Footprint)
>>      25 client (Footprint)
>>      42 client (Footprint)
>>      53 client (Footprint)
>>      79 client (Footprint)
>>      80 client (Footprint) server (Footprint)
>>      81 client (Footprint) server (Footprint)
>>      109 client (Footprint)
>>      110 client (Footprint)
>>      111 client (Footprint)
>>      113 client (Footprint)
>>      119 client (Footprint)
>>      135 client (Footprint)
>>      136 client (Footprint)
>>      137 client (Footprint)
>>      139 client (Footprint)
>>      143 client (Footprint)
>>      161 client (Footprint)
>> Stream5 UDP Policy config:
>>    Timeout: 180 seconds
>> HttpInspect Config:
>>    GLOBAL CONFIG
>>      Max Pipeline Requests:    0
>>      Inspection Type:          STATELESS
>>      Detect Proxy Usage:       NO
>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>      IIS Unicode Map Codepage: 1252
>>      Max Gzip Memory: 838860
>>      Max Gzip Sessions: 6
>>      Gzip Compress Depth: 65535
>>      Gzip Decompress Depth: 65535
>>    DEFAULT SERVER CONFIG:
>>      Server profile: All
>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>> 8243 8280 8888 9090 9091 9443 9999 11371
>>      Server Flow Depth: 0
>>      Client Flow Depth: 0
>>      Max Chunk Length: 500000
>>      Max Header Field Length: 750
>>      Max Number Header Fields: 100
>>      Inspect Pipeline Requests: YES
>>      URI Discovery Strict Mode: NO
>>      Allow Proxy Usage: NO
>>      Disable Alerting: NO
>>      Oversize Dir Length: 500
>>      Only inspect URI: NO
>>      Normalize HTTP Headers: NO
>>      Inspect HTTP Cookies: YES
>>      Inspect HTTP Responses: YES
>>      Extract Gzip from responses: YES
>>      Unlimited decompression of gzip data from responses: YES
>>      Normalize HTTP Cookies: NO
>>      Enable XFF and True Client IP: NO
>>      Extended ASCII code support in URI: NO
>>      Ascii: YES alert: NO
>>      Double Decoding: YES alert: NO
>>      %U Encoding: YES alert: YES
>>      Bare Byte: YES alert: NO
>>      Base36: OFF
>>      UTF 8: YES alert: NO
>>      IIS Unicode: YES alert: NO
>>      Multiple Slash: YES alert: NO
>>      IIS Backslash: YES alert: NO
>>      Directory Traversal: YES alert: NO
>>      Web Root Traversal: YES alert: NO
>>      Apache WhiteSpace: YES alert: NO
>>      IIS Delimiter: YES alert: NO
>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>> 32776 32777 32778 32779
>>    alert_fragments: INACTIVE
>>    alert_large_fragments: INACTIVE
>>    alert_incomplete: INACTIVE
>>    alert_multiple_requests: INACTIVE
>> Segmentation fault: 11 (core dumped)
>> su-3.2#
>> 
>> 
>> On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus at ...11827...> wrote:
>>> sorry pressed send before completing email...
>>> 
>>> so i recompiled it with --enable-debug how do you want me to re-run it?
>>> 
>>> I think some rules screwing it up, because when I run it as snort -Ds
>>> it runs by itself...
>>> 
>>> On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus at ...11827...> wrote:
>>>> yes it happened right on the start up...
>>>> 
>>>> this is me doing uninstall...
>>>> 
>>>> su-3.2# make uninstall
>>>> Making uninstall in src
>>>> Making uninstall in sfutil
>>>> Making uninstall in win32
>>>> Making uninstall in output-plugins
>>>> Making uninstall in detection-plugins
>>>> Making uninstall in dynamic-plugins
>>>> Making uninstall in sf_engine
>>>> Making uninstall in examples
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicengine/libsf_engine.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.la
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so.0
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>> Making uninstall in sf_preproc_example
>>>> Making uninstall in preprocessors
>>>> Making uninstall in HttpInspect
>>>> Making uninstall in include
>>>> Making uninstall in utils
>>>> Making uninstall in user_interface
>>>> Making uninstall in session_inspection
>>>> Making uninstall in mode_inspection
>>>> Making uninstall in anomaly_detection
>>>> Making uninstall in event_output
>>>> Making uninstall in server
>>>> Making uninstall in client
>>>> Making uninstall in normalization
>>>> Making uninstall in Stream5
>>>> Making uninstall in parser
>>>> Making uninstall in dynamic-preprocessors
>>>> Making uninstall in libs
>>>> Making uninstall in ftptelnet
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>> Making uninstall in smtp
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>> Making uninstall in ssh
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>> Making uninstall in dns
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>> Making uninstall in ssl
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>> Making uninstall in dcerpc2
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>> Making uninstall in sdf
>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
>>>> libtool: uninstall: rm -f
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>> -f: not found
>>>> *** Error code 127
>>>> 
>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>> *** Error code 1
>>>> 
>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>> *** Error code 1
>>>> 
>>>> Stop in /usr/local/src/snort-2.9.0.5/src.
>>>> *** Error code 1
>>>> 
>>>> Stop in /usr/local/src/snort-2.9.0.5.
>>>> su-3.2#
>>>> 
>>>> and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)
>>>> 
>>>> On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
>>>>> Is that happening on start up?  Might try make uninstall and then make
>>>>> install.  If it still happens, then make clean, ./configure with prior
>>>>> options plus --enable-debug and rerun in the debugger and send a backtrace.
>>>>> 
>>>>> You can check here for more information on that:
>>>>> 
>>>>> http://www.snort.org/snort-downloads/submit-a-bug
>>>>> 
>>>>> and as that says, in the doc/BUGS file in the source tree.
>>>>> 
>>>>> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>>>>> 
>>>>>> I took from begging of snort.conf
>>>>>> 
>>>>>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>> 
>>>>>> and I recompiled my snort with all these options, which includes zlib
>>>>>> 
>>>>>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>>>>>>> you need to build snort with --enable-zlib for that one
>>>>>>> 
>>>>>>> On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>> 
>>>>>>>> also if I take a snort.conf that came with distro (2.9.0.5)
>>>>>>>> 
>>>>>>>> snort stops on following
>>>>>>>> 
>>>>>>>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>>>>>>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>>>>>>> 'global' configuration.
>>>>>>>> 
>>>>>>>> when I tried with snort.conf that came with rules I've got same message
>>>>>>>> 
>>>>>>>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>>>>>>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>>>>>>> 'global' configuration.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>> I have following in my snort.conf (top section)
>>>>>>>>> 
>>>>>>>>> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>>>>>>>> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>> 
>>>>>>>>> I went ahead and recompile it with all that yet I still get same
>>>>>>>>> results
>>>>>>>>> 
>>>>>>>>> On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>>>>>>>>> wrote:
>>>>>>>>>> Look at the top of the snort.conf file. You should see our
>>>>>>>>>> recommended
>>>>>>>>>> compile options.
>>>>>>>>>> 
>>>>>>>>>> Sent from my iPhone
>>>>>>>>>> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>>>>>>>>> 
>>>>>>>>>> Anything specific ?
>>>>>>>>>> 
>>>>>>>>>> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>>>>>>>>>> Sounds like you may need to take a look at our recommended compile
>>>>>>>>>>> options
>>>>>>>>>>> at the top of the snort.conf in the etc/ directory.
>>>>>>>>>>> 
>>>>>>>>>>> Check that out.
>>>>>>>>>>> 
>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>> 
>>>>>>>>>>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> ok, done
>>>>>>>>>>>> i dont have ipv6 enabled on my system so you were right as soon as
>>>>>>>>>>>> i
>>>>>>>>>>>> changed ipvar to var it went through that
>>>>>>>>>>>> but it complain on something else...
>>>>>>>>>>>> 
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>>>>>>>>>> "/usr/local/etc/snort.conf"
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>>>>>>>>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>>>>>>>>>>>> 8080
>>>>>>>>>>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>>>>>>>>>>>> ]
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>>>>>>>>>>>> :
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>>>>>>>>>>> enabled
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>>>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>>>>>>>>>>>> libs
>>>>>>>>>>>> from /usr/local/lib/snort_dynamicrules...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>>>>>>>>>>> libs
>>>>>>>>>>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> 
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>> library
>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>>>>>>>>>>>> bytes
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>>>>>>>>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>>>>>>>>>> (max_active_responses 2)
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> # Target-Based stateful inspection/stream reassembly. For more
>>>>>>>>>>>> inforation, see README.stream5
>>>>>>>>>>>> preprocessor stream5_global: track_tcp yes, \
>>>>>>>>>>>> track_udp yes, \
>>>>>>>>>>>> track_icmp no, \
>>>>>>>>>>>> max_tcp 262144, \
>>>>>>>>>>>> max_udp 131072, \
>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>> 
>>>>>>>>>>>> for whatever reason(s) now it doesnt like this line:
>>>>>>>>>>>> 
>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>> 
>>>>>>>>>>>> or according to syslog line
>>>>>>>>>>>> 
>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>>>>>>>>>>> <wkitty42 at ...14940...>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> On 8/15/2011 17:15, alexus wrote:
>>>>>>>>>>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I dont understand why it's complaining ...
>>>>>>>>>>>>> 
>>>>>>>>>>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>>>>>>>>>>>>> in
>>>>>>>>>>>>> your
>>>>>>>>>>>>> snort
>>>>>>>>>>>>> compile, it won't work... use var instead of ipvar...
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>> model
>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>> and
>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and
>>>>>>>>>>>>> get a
>>>>>>>>>>>>> free
>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> --
>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>> model
>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>> Subversion
>>>>>>>>>>>> and
>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get
>>>>>>>>>>>> a
>>>>>>>>>>>> free
>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>> 
>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> http://alexus.org/
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> http://alexus.org/
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>> configuration take the hassle out of deploying and managing Subversion
>>>>>>>> and
>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>>>>>> free
>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>> _______________________________________________
>>>>>>>> Snort-users mailing list
>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>> Snort-users list archive:
>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>> 
>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>>>> Snort
>>>>>>>> news!
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> http://alexus.org/
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>> configuration take the hassle out of deploying and managing Subversion and
>>>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>>>> news!
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> http://alexus.org/
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> http://alexus.org/
>>> 
>> 
>> 
>> 
>> --
>> http://alexus.org/
>> 
> 
> 
> 
> -- 
> http://alexus.org/
> 
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
> user administration capabilities and model configuration. Take 
> the hassle out of deploying and managing Subversion and the 
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list