[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Tue Aug 16 17:41:56 EDT 2011


Are you using 32 bit SO rules on a 64 bit platform?  Or Vice versa?

Joel

On Aug 16, 2011, at 5:02 PM, alexus wrote:

> file came from snortrules that I pulled yesterday, plus I've made
> small modifications for HOMENET and some ports that applys for my
> system
> 
> my system is:
> 
> FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
> 17:48:16 UTC 2011
> alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64
> 
> snort.conf is attached
> 
> 
> On Tue, Aug 16, 2011 at 4:59 PM, Joel Esler <jesler at ...1935...> wrote:
>> Can you provide your snort.conf file and OS version for us?
>> 
>> Joel
>> 
>> On Aug 16, 2011, at 4:50 PM, alexus wrote:
>> 
>>> so should I be using another set of rules? to get this thing going?
>>> 
>>> On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus at ...11827...> wrote:
>>>> if that's helpful
>>>> 
>>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>>> Running in IDS mode
>>>> 
>>>>        --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Initializing Preprocessors!
>>>> Initializing Plug-ins!
>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>>>> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
>>>> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>>>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>>>> Detection:
>>>>   Search-Method = AC-Full-Q
>>>>    Split Any/Any group = enabled
>>>>    Search-Method-Optimizations = enabled
>>>>    Maximum pattern length = 20
>>>> Tagged Packet Limit: 256
>>>> Loading dynamic engine
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>  Loading dynamic detection library
>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>> done
>>>>  Finished Loading all dynamic detection libs from
>>>> /usr/local/lib/snort_dynamicrules
>>>> Loading all dynamic preprocessor libs from
>>>> /usr/local/lib/snort_dynamicpreprocessor/...
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>>>  Finished Loading all dynamic preprocessor libs from
>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>> Log directory = /var/log/snort
>>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>>> normalizations disabled because not inlineWARNING: icmp4
>>>> normalizations disabled because not inlineWARNING: ip6 normalizations
>>>> disabled because not inlineWARNING: icmp6 normalizations disabled
>>>> because not inlineFrag3 global config:
>>>>    Max frags: 65536
>>>>    Fragment memory cap: 4194304 bytes
>>>> Frag3 engine config:
>>>>    Target-based policy: WINDOWS
>>>>    Fragment timeout: 180 seconds
>>>>    Fragment min_ttl:   1
>>>>    Fragment Problems: 1
>>>>    Overlap Limit:     10
>>>>    Min fragment Length:     100
>>>> Stream5 global config:
>>>>    Track TCP sessions: ACTIVE
>>>>    Max TCP sessions: 8192
>>>>    Memcap (for reassembly packet storage): 8388608
>>>>    Track UDP sessions: INACTIVE
>>>>    Track ICMP sessions: INACTIVE
>>>>    Log info if session memory consumption exceeds 1048576
>>>>    Send up to 0 active responses
>>>> Stream5 TCP Policy config:
>>>>    Reassembly Policy: WINDOWS
>>>>    Timeout: 180 seconds
>>>>    Limit on TCP Overlaps: 10
>>>>    Maximum number of bytes to queue per session: 1048576
>>>>    Maximum number of segs to queue per session: 2621
>>>>    Options:
>>>>        Require 3-Way Handshake: YES
>>>>        3-Way Handshake Timeout: 180
>>>>        Detect Anomalies: YES
>>>>    Reassembly Ports:
>>>>      21 client (Footprint)
>>>>      22 client (Footprint)
>>>>      23 client (Footprint)
>>>>      25 client (Footprint)
>>>>      42 client (Footprint)
>>>>      53 client (Footprint)
>>>>      79 client (Footprint)
>>>>      80 client (Footprint) server (Footprint)
>>>>      81 client (Footprint) server (Footprint)
>>>>      109 client (Footprint)
>>>>      110 client (Footprint)
>>>>      111 client (Footprint)
>>>>      113 client (Footprint)
>>>>      119 client (Footprint)
>>>>      135 client (Footprint)
>>>>      136 client (Footprint)
>>>>      137 client (Footprint)
>>>>      139 client (Footprint)
>>>>      143 client (Footprint)
>>>>      161 client (Footprint)
>>>> Stream5 UDP Policy config:
>>>>    Timeout: 180 seconds
>>>> HttpInspect Config:
>>>>    GLOBAL CONFIG
>>>>      Max Pipeline Requests:    0
>>>>      Inspection Type:          STATELESS
>>>>      Detect Proxy Usage:       NO
>>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>>      IIS Unicode Map Codepage: 1252
>>>>      Max Gzip Memory: 838860
>>>>      Max Gzip Sessions: 6
>>>>      Gzip Compress Depth: 65535
>>>>      Gzip Decompress Depth: 65535
>>>>    DEFAULT SERVER CONFIG:
>>>>      Server profile: All
>>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>>      Server Flow Depth: 0
>>>>      Client Flow Depth: 0
>>>>      Max Chunk Length: 500000
>>>>      Max Header Field Length: 750
>>>>      Max Number Header Fields: 100
>>>>      Inspect Pipeline Requests: YES
>>>>      URI Discovery Strict Mode: NO
>>>>      Allow Proxy Usage: NO
>>>>      Disable Alerting: NO
>>>>      Oversize Dir Length: 500
>>>>      Only inspect URI: NO
>>>>      Normalize HTTP Headers: NO
>>>>      Inspect HTTP Cookies: YES
>>>>      Inspect HTTP Responses: YES
>>>>      Extract Gzip from responses: YES
>>>>      Unlimited decompression of gzip data from responses: YES
>>>>      Normalize HTTP Cookies: NO
>>>>      Enable XFF and True Client IP: NO
>>>>      Extended ASCII code support in URI: NO
>>>>      Ascii: YES alert: NO
>>>>      Double Decoding: YES alert: NO
>>>>      %U Encoding: YES alert: YES
>>>>      Bare Byte: YES alert: NO
>>>>      Base36: OFF
>>>>      UTF 8: YES alert: NO
>>>>      IIS Unicode: YES alert: NO
>>>>      Multiple Slash: YES alert: NO
>>>>      IIS Backslash: YES alert: NO
>>>>      Directory Traversal: YES alert: NO
>>>>      Web Root Traversal: YES alert: NO
>>>>      Apache WhiteSpace: YES alert: NO
>>>>      IIS Delimiter: YES alert: NO
>>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>>> rpc_decode arguments:
>>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>>> 32776 32777 32778 32779
>>>>    alert_fragments: INACTIVE
>>>>    alert_large_fragments: INACTIVE
>>>>    alert_incomplete: INACTIVE
>>>>    alert_multiple_requests: INACTIVE
>>>> Segmentation fault: 11 (core dumped)
>>>> su-3.2#
>>>> 
>>>> 
>>>> On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus at ...11827...> wrote:
>>>>> sorry pressed send before completing email...
>>>>> 
>>>>> so i recompiled it with --enable-debug how do you want me to re-run it?
>>>>> 
>>>>> I think some rules screwing it up, because when I run it as snort -Ds
>>>>> it runs by itself...
>>>>> 
>>>>> On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus at ...11827...> wrote:
>>>>>> yes it happened right on the start up...
>>>>>> 
>>>>>> this is me doing uninstall...
>>>>>> 
>>>>>> su-3.2# make uninstall
>>>>>> Making uninstall in src
>>>>>> Making uninstall in sfutil
>>>>>> Making uninstall in win32
>>>>>> Making uninstall in output-plugins
>>>>>> Making uninstall in detection-plugins
>>>>>> Making uninstall in dynamic-plugins
>>>>>> Making uninstall in sf_engine
>>>>>> Making uninstall in examples
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicengine/libsf_engine.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.la
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so.0
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>>> Making uninstall in sf_preproc_example
>>>>>> Making uninstall in preprocessors
>>>>>> Making uninstall in HttpInspect
>>>>>> Making uninstall in include
>>>>>> Making uninstall in utils
>>>>>> Making uninstall in user_interface
>>>>>> Making uninstall in session_inspection
>>>>>> Making uninstall in mode_inspection
>>>>>> Making uninstall in anomaly_detection
>>>>>> Making uninstall in event_output
>>>>>> Making uninstall in server
>>>>>> Making uninstall in client
>>>>>> Making uninstall in normalization
>>>>>> Making uninstall in Stream5
>>>>>> Making uninstall in parser
>>>>>> Making uninstall in dynamic-preprocessors
>>>>>> Making uninstall in libs
>>>>>> Making uninstall in ftptelnet
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>>> Making uninstall in smtp
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>>> Making uninstall in ssh
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>>> Making uninstall in dns
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>>> Making uninstall in ssl
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>>> Making uninstall in dcerpc2
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>>> Making uninstall in sdf
>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
>>>>>> libtool: uninstall: rm -f
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>>> -f: not found
>>>>>> *** Error code 127
>>>>>> 
>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>>> *** Error code 1
>>>>>> 
>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>>> *** Error code 1
>>>>>> 
>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src.
>>>>>> *** Error code 1
>>>>>> 
>>>>>> Stop in /usr/local/src/snort-2.9.0.5.
>>>>>> su-3.2#
>>>>>> 
>>>>>> and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)
>>>>>> 
>>>>>> On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
>>>>>>> Is that happening on start up?  Might try make uninstall and then make
>>>>>>> install.  If it still happens, then make clean, ./configure with prior
>>>>>>> options plus --enable-debug and rerun in the debugger and send a backtrace.
>>>>>>> 
>>>>>>> You can check here for more information on that:
>>>>>>> 
>>>>>>> http://www.snort.org/snort-downloads/submit-a-bug
>>>>>>> 
>>>>>>> and as that says, in the doc/BUGS file in the source tree.
>>>>>>> 
>>>>>>> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>> 
>>>>>>>> I took from begging of snort.conf
>>>>>>>> 
>>>>>>>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>>>>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>> 
>>>>>>>> and I recompiled my snort with all these options, which includes zlib
>>>>>>>> 
>>>>>>>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>>>>>>>>> you need to build snort with --enable-zlib for that one
>>>>>>>>> 
>>>>>>>>> On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>> 
>>>>>>>>>> also if I take a snort.conf that came with distro (2.9.0.5)
>>>>>>>>>> 
>>>>>>>>>> snort stops on following
>>>>>>>>>> 
>>>>>>>>>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>>>>>>>>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>>>>>>>>> 'global' configuration.
>>>>>>>>>> 
>>>>>>>>>> when I tried with snort.conf that came with rules I've got same message
>>>>>>>>>> 
>>>>>>>>>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>>>>>>>>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>>>>>>>>> 'global' configuration.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>> I have following in my snort.conf (top section)
>>>>>>>>>>> 
>>>>>>>>>>> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>>>>>>>>>> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>>>> 
>>>>>>>>>>> I went ahead and recompile it with all that yet I still get same
>>>>>>>>>>> results
>>>>>>>>>>> 
>>>>>>>>>>> On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...1935...>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Look at the top of the snort.conf file. You should see our
>>>>>>>>>>>> recommended
>>>>>>>>>>>> compile options.
>>>>>>>>>>>> 
>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Anything specific ?
>>>>>>>>>>>> 
>>>>>>>>>>>> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>>>>>>>>>>>> Sounds like you may need to take a look at our recommended compile
>>>>>>>>>>>>> options
>>>>>>>>>>>>> at the top of the snort.conf in the etc/ directory.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Check that out.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>>> ok, done
>>>>>>>>>>>>>> i dont have ipv6 enabled on my system so you were right as soon as
>>>>>>>>>>>>>> i
>>>>>>>>>>>>>> changed ipvar to var it went through that
>>>>>>>>>>>>>> but it complain on something else...
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>>>>>>>>>>>> "/usr/local/etc/snort.conf"
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>>>>>>>>>>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>>>>>>>>>>>>>> 8080
>>>>>>>>>>>>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>>>>>>>>>>>>>> :
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>>>>>>>>>>>>> enabled
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>>>>>>>>>>>>>> libs
>>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicrules...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>>>>>>>>>>>>> libs
>>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>> library
>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>>>>>>>>>>>>>> bytes
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>>>>>>>>>>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>>>>>>>>>>>> (max_active_responses 2)
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> # Target-Based stateful inspection/stream reassembly. For more
>>>>>>>>>>>>>> inforation, see README.stream5
>>>>>>>>>>>>>> preprocessor stream5_global: track_tcp yes, \
>>>>>>>>>>>>>> track_udp yes, \
>>>>>>>>>>>>>> track_icmp no, \
>>>>>>>>>>>>>> max_tcp 262144, \
>>>>>>>>>>>>>> max_udp 131072, \
>>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> for whatever reason(s) now it doesnt like this line:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> or according to syslog line
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>>>>>>>>>>>>> <wkitty42 at ...14940...>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> On 8/15/2011 17:15, alexus wrote:
>>>>>>>>>>>>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> I dont understand why it's complaining ...
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>> snort
>>>>>>>>>>>>>>> compile, it won't work... use var instead of ipvar...
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and
>>>>>>>>>>>>>>> get a
>>>>>>>>>>>>>>> free
>>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>> model
>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> free
>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> --
>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> http://alexus.org/
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>>>> configuration take the hassle out of deploying and managing Subversion
>>>>>>>>>> and
>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>>>>>>>> free
>>>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Snort-users mailing list
>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>> Snort-users list archive:
>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>> 
>>>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>>>>>> Snort
>>>>>>>>>> news!
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> http://alexus.org/
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>> configuration take the hassle out of deploying and managing Subversion and
>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>> _______________________________________________
>>>>>>>> Snort-users mailing list
>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>> Snort-users list archive:
>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>> 
>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>>>>>> news!
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> http://alexus.org/
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> http://alexus.org/
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> http://alexus.org/
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> http://alexus.org/
>>> 
>>> ------------------------------------------------------------------------------
>>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>>> user administration capabilities and model configuration. Take
>>> the hassle out of deploying and managing Subversion and the
>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
> 
> 
> 
> -- 
> http://alexus.org/
> <snort.conf>





More information about the Snort-users mailing list