[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 17:02:21 EDT 2011


file came from snortrules that I pulled yesterday, plus I've made
small modifications for HOMENET and some ports that applys for my
system

my system is:

FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
17:48:16 UTC 2011
alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64

snort.conf is attached


On Tue, Aug 16, 2011 at 4:59 PM, Joel Esler <jesler at ...1935...> wrote:
> Can you provide your snort.conf file and OS version for us?
>
> Joel
>
> On Aug 16, 2011, at 4:50 PM, alexus wrote:
>
>> so should I be using another set of rules? to get this thing going?
>>
>> On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus at ...11827...> wrote:
>>> if that's helpful
>>>
>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>> Running in IDS mode
>>>
>>>        --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>>> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
>>> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>>> Detection:
>>>   Search-Method = AC-Full-Q
>>>    Split Any/Any group = enabled
>>>    Search-Method-Optimizations = enabled
>>>    Maximum pattern length = 20
>>> Tagged Packet Limit: 256
>>> Loading dynamic engine
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>  Loading dynamic detection library
>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>> done
>>>  Finished Loading all dynamic detection libs from
>>> /usr/local/lib/snort_dynamicrules
>>> Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort_dynamicpreprocessor/...
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>>  Finished Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort_dynamicpreprocessor/
>>> Log directory = /var/log/snort
>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>> normalizations disabled because not inlineWARNING: icmp4
>>> normalizations disabled because not inlineWARNING: ip6 normalizations
>>> disabled because not inlineWARNING: icmp6 normalizations disabled
>>> because not inlineFrag3 global config:
>>>    Max frags: 65536
>>>    Fragment memory cap: 4194304 bytes
>>> Frag3 engine config:
>>>    Target-based policy: WINDOWS
>>>    Fragment timeout: 180 seconds
>>>    Fragment min_ttl:   1
>>>    Fragment Problems: 1
>>>    Overlap Limit:     10
>>>    Min fragment Length:     100
>>> Stream5 global config:
>>>    Track TCP sessions: ACTIVE
>>>    Max TCP sessions: 8192
>>>    Memcap (for reassembly packet storage): 8388608
>>>    Track UDP sessions: INACTIVE
>>>    Track ICMP sessions: INACTIVE
>>>    Log info if session memory consumption exceeds 1048576
>>>    Send up to 0 active responses
>>> Stream5 TCP Policy config:
>>>    Reassembly Policy: WINDOWS
>>>    Timeout: 180 seconds
>>>    Limit on TCP Overlaps: 10
>>>    Maximum number of bytes to queue per session: 1048576
>>>    Maximum number of segs to queue per session: 2621
>>>    Options:
>>>        Require 3-Way Handshake: YES
>>>        3-Way Handshake Timeout: 180
>>>        Detect Anomalies: YES
>>>    Reassembly Ports:
>>>      21 client (Footprint)
>>>      22 client (Footprint)
>>>      23 client (Footprint)
>>>      25 client (Footprint)
>>>      42 client (Footprint)
>>>      53 client (Footprint)
>>>      79 client (Footprint)
>>>      80 client (Footprint) server (Footprint)
>>>      81 client (Footprint) server (Footprint)
>>>      109 client (Footprint)
>>>      110 client (Footprint)
>>>      111 client (Footprint)
>>>      113 client (Footprint)
>>>      119 client (Footprint)
>>>      135 client (Footprint)
>>>      136 client (Footprint)
>>>      137 client (Footprint)
>>>      139 client (Footprint)
>>>      143 client (Footprint)
>>>      161 client (Footprint)
>>> Stream5 UDP Policy config:
>>>    Timeout: 180 seconds
>>> HttpInspect Config:
>>>    GLOBAL CONFIG
>>>      Max Pipeline Requests:    0
>>>      Inspection Type:          STATELESS
>>>      Detect Proxy Usage:       NO
>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>      IIS Unicode Map Codepage: 1252
>>>      Max Gzip Memory: 838860
>>>      Max Gzip Sessions: 6
>>>      Gzip Compress Depth: 65535
>>>      Gzip Decompress Depth: 65535
>>>    DEFAULT SERVER CONFIG:
>>>      Server profile: All
>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>      Server Flow Depth: 0
>>>      Client Flow Depth: 0
>>>      Max Chunk Length: 500000
>>>      Max Header Field Length: 750
>>>      Max Number Header Fields: 100
>>>      Inspect Pipeline Requests: YES
>>>      URI Discovery Strict Mode: NO
>>>      Allow Proxy Usage: NO
>>>      Disable Alerting: NO
>>>      Oversize Dir Length: 500
>>>      Only inspect URI: NO
>>>      Normalize HTTP Headers: NO
>>>      Inspect HTTP Cookies: YES
>>>      Inspect HTTP Responses: YES
>>>      Extract Gzip from responses: YES
>>>      Unlimited decompression of gzip data from responses: YES
>>>      Normalize HTTP Cookies: NO
>>>      Enable XFF and True Client IP: NO
>>>      Extended ASCII code support in URI: NO
>>>      Ascii: YES alert: NO
>>>      Double Decoding: YES alert: NO
>>>      %U Encoding: YES alert: YES
>>>      Bare Byte: YES alert: NO
>>>      Base36: OFF
>>>      UTF 8: YES alert: NO
>>>      IIS Unicode: YES alert: NO
>>>      Multiple Slash: YES alert: NO
>>>      IIS Backslash: YES alert: NO
>>>      Directory Traversal: YES alert: NO
>>>      Web Root Traversal: YES alert: NO
>>>      Apache WhiteSpace: YES alert: NO
>>>      IIS Delimiter: YES alert: NO
>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>> rpc_decode arguments:
>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>> 32776 32777 32778 32779
>>>    alert_fragments: INACTIVE
>>>    alert_large_fragments: INACTIVE
>>>    alert_incomplete: INACTIVE
>>>    alert_multiple_requests: INACTIVE
>>> Segmentation fault: 11 (core dumped)
>>> su-3.2#
>>>
>>>
>>> On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus at ...11827...> wrote:
>>>> sorry pressed send before completing email...
>>>>
>>>> so i recompiled it with --enable-debug how do you want me to re-run it?
>>>>
>>>> I think some rules screwing it up, because when I run it as snort -Ds
>>>> it runs by itself...
>>>>
>>>> On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus at ...11827...> wrote:
>>>>> yes it happened right on the start up...
>>>>>
>>>>> this is me doing uninstall...
>>>>>
>>>>> su-3.2# make uninstall
>>>>> Making uninstall in src
>>>>> Making uninstall in sfutil
>>>>> Making uninstall in win32
>>>>> Making uninstall in output-plugins
>>>>> Making uninstall in detection-plugins
>>>>> Making uninstall in dynamic-plugins
>>>>> Making uninstall in sf_engine
>>>>> Making uninstall in examples
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicengine/libsf_engine.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.la
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so.0
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>> Making uninstall in sf_preproc_example
>>>>> Making uninstall in preprocessors
>>>>> Making uninstall in HttpInspect
>>>>> Making uninstall in include
>>>>> Making uninstall in utils
>>>>> Making uninstall in user_interface
>>>>> Making uninstall in session_inspection
>>>>> Making uninstall in mode_inspection
>>>>> Making uninstall in anomaly_detection
>>>>> Making uninstall in event_output
>>>>> Making uninstall in server
>>>>> Making uninstall in client
>>>>> Making uninstall in normalization
>>>>> Making uninstall in Stream5
>>>>> Making uninstall in parser
>>>>> Making uninstall in dynamic-preprocessors
>>>>> Making uninstall in libs
>>>>> Making uninstall in ftptelnet
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>> Making uninstall in smtp
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>> Making uninstall in ssh
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>> Making uninstall in dns
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>> Making uninstall in ssl
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>> Making uninstall in dcerpc2
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>> Making uninstall in sdf
>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
>>>>> libtool: uninstall: rm -f
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>> -f: not found
>>>>> *** Error code 127
>>>>>
>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>> *** Error code 1
>>>>>
>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>> *** Error code 1
>>>>>
>>>>> Stop in /usr/local/src/snort-2.9.0.5/src.
>>>>> *** Error code 1
>>>>>
>>>>> Stop in /usr/local/src/snort-2.9.0.5.
>>>>> su-3.2#
>>>>>
>>>>> and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)
>>>>>
>>>>> On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
>>>>>> Is that happening on start up?  Might try make uninstall and then make
>>>>>> install.  If it still happens, then make clean, ./configure with prior
>>>>>> options plus --enable-debug and rerun in the debugger and send a backtrace.
>>>>>>
>>>>>> You can check here for more information on that:
>>>>>>
>>>>>> http://www.snort.org/snort-downloads/submit-a-bug
>>>>>>
>>>>>> and as that says, in the doc/BUGS file in the source tree.
>>>>>>
>>>>>> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>
>>>>>>> I took from begging of snort.conf
>>>>>>>
>>>>>>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>>>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>
>>>>>>> and I recompiled my snort with all these options, which includes zlib
>>>>>>>
>>>>>>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>>>>>>>> you need to build snort with --enable-zlib for that one
>>>>>>>>
>>>>>>>> On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>
>>>>>>>>> also if I take a snort.conf that came with distro (2.9.0.5)
>>>>>>>>>
>>>>>>>>> snort stops on following
>>>>>>>>>
>>>>>>>>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>>>>>>>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>>>>>>>> 'global' configuration.
>>>>>>>>>
>>>>>>>>> when I tried with snort.conf that came with rules I've got same message
>>>>>>>>>
>>>>>>>>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>>>>>>>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>>>>>>>> 'global' configuration.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>> I have following in my snort.conf (top section)
>>>>>>>>>>
>>>>>>>>>> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>>>>>>>>> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>>>
>>>>>>>>>> I went ahead and recompile it with all that yet I still get same
>>>>>>>>>> results
>>>>>>>>>>
>>>>>>>>>> On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>>>>>>>>>> wrote:
>>>>>>>>>>> Look at the top of the snort.conf file. You should see our
>>>>>>>>>>> recommended
>>>>>>>>>>> compile options.
>>>>>>>>>>>
>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Anything specific ?
>>>>>>>>>>>
>>>>>>>>>>> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>>>>>>>>>>> Sounds like you may need to take a look at our recommended compile
>>>>>>>>>>>> options
>>>>>>>>>>>> at the top of the snort.conf in the etc/ directory.
>>>>>>>>>>>>
>>>>>>>>>>>> Check that out.
>>>>>>>>>>>>
>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>
>>>>>>>>>>>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> ok, done
>>>>>>>>>>>>> i dont have ipv6 enabled on my system so you were right as soon as
>>>>>>>>>>>>> i
>>>>>>>>>>>>> changed ipvar to var it went through that
>>>>>>>>>>>>> but it complain on something else...
>>>>>>>>>>>>>
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>>>>>>>>>>> "/usr/local/etc/snort.conf"
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>>>>>>>>>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>>>>>>>>>>>>> 8080
>>>>>>>>>>>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>>>>>>>>>>>>> ]
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>>>>>>>>>>>>> :
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>>>>>>>>>>>> enabled
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>>>>>>>>>>>>> libs
>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicrules...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>>>>>>>>>>>> libs
>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>>
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>> library
>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>>>>>>>>>>>>> bytes
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>>>>>>>>>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>>>>>>>>>>> (max_active_responses 2)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> # Target-Based stateful inspection/stream reassembly. For more
>>>>>>>>>>>>> inforation, see README.stream5
>>>>>>>>>>>>> preprocessor stream5_global: track_tcp yes, \
>>>>>>>>>>>>> track_udp yes, \
>>>>>>>>>>>>> track_icmp no, \
>>>>>>>>>>>>> max_tcp 262144, \
>>>>>>>>>>>>> max_udp 131072, \
>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>
>>>>>>>>>>>>> for whatever reason(s) now it doesnt like this line:
>>>>>>>>>>>>>
>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>
>>>>>>>>>>>>> or according to syslog line
>>>>>>>>>>>>>
>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>>>>>>>>>>>> <wkitty42 at ...14940...>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> On 8/15/2011 17:15, alexus wrote:
>>>>>>>>>>>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I dont understand why it's complaining ...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>>>>>>>>>>>>>> in
>>>>>>>>>>>>>> your
>>>>>>>>>>>>>> snort
>>>>>>>>>>>>>> compile, it won't work... use var instead of ipvar...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>> model
>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and
>>>>>>>>>>>>>> get a
>>>>>>>>>>>>>> free
>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>> model
>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>> and
>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get
>>>>>>>>>>>>> a
>>>>>>>>>>>>> free
>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>
>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> http://alexus.org/
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> http://alexus.org/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>>> configuration take the hassle out of deploying and managing Subversion
>>>>>>>>> and
>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>>>>>>> free
>>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>> _______________________________________________
>>>>>>>>> Snort-users mailing list
>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>> Snort-users list archive:
>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>
>>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>>>>> Snort
>>>>>>>>> news!
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://alexus.org/
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>> configuration take the hassle out of deploying and managing Subversion and
>>>>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>
>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>>>>> news!
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://alexus.org/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://alexus.org/
>>>>
>>>
>>>
>>>
>>> --
>>> http://alexus.org/
>>>
>>
>>
>>
>> --
>> http://alexus.org/
>>
>> ------------------------------------------------------------------------------
>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>> user administration capabilities and model configuration. Take
>> the hassle out of deploying and managing Subversion and the
>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>



-- 
http://alexus.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 21381 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110816/dd925ddb/attachment.obj>


More information about the Snort-users mailing list