[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Tue Aug 16 18:43:35 EDT 2011


Try not using the Shared Object rules, see if Snort starts.

J

On Aug 16, 2011, at 6:41 PM, alexus wrote:

> su-3.2# file /usr/local/bin/snort
> /usr/local/bin/snort: ELF 64-bit LSB executable, x86-64, version 1
> (FreeBSD), for FreeBSD 7.4, dynamically linked (uses shared libs),
> FreeBSD-style, not stripped
> su-3.2# uname -a
> FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
> 17:48:16 UTC 2011
> alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64
> su-3.2#
> 
> once again snort itself works its rules that makes it crash right
> away, if i dont use that snort.conf snort runs by itself no problem
> 
> On Tue, Aug 16, 2011 at 5:41 PM, Joel Esler <jesler at ...1935...> wrote:
>> Are you using 32 bit SO rules on a 64 bit platform?  Or Vice versa?
>> 
>> Joel
>> 
>> On Aug 16, 2011, at 5:02 PM, alexus wrote:
>> 
>>> file came from snortrules that I pulled yesterday, plus I've made
>>> small modifications for HOMENET and some ports that applys for my
>>> system
>>> 
>>> my system is:
>>> 
>>> FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
>>> 17:48:16 UTC 2011
>>> alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64
>>> 
>>> snort.conf is attached
>>> 
>>> 
>>> On Tue, Aug 16, 2011 at 4:59 PM, Joel Esler <jesler at ...1935...> wrote:
>>>> Can you provide your snort.conf file and OS version for us?
>>>> 
>>>> Joel
>>>> 
>>>> On Aug 16, 2011, at 4:50 PM, alexus wrote:
>>>> 
>>>>> so should I be using another set of rules? to get this thing going?
>>>>> 
>>>>> On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus at ...11827...> wrote:
>>>>>> if that's helpful
>>>>>> 
>>>>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>>>>> Running in IDS mode
>>>>>> 
>>>>>>        --== Initializing Snort ==--
>>>>>> Initializing Output Plugins!
>>>>>> Initializing Preprocessors!
>>>>>> Initializing Plug-ins!
>>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>>>>>> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
>>>>>> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>>>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>>>>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>>>>>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>>>>>> Detection:
>>>>>>   Search-Method = AC-Full-Q
>>>>>>    Split Any/Any group = enabled
>>>>>>    Search-Method-Optimizations = enabled
>>>>>>    Maximum pattern length = 20
>>>>>> Tagged Packet Limit: 256
>>>>>> Loading dynamic engine
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>>>>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>>>  Loading dynamic detection library
>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>> done
>>>>>>  Finished Loading all dynamic detection libs from
>>>>>> /usr/local/lib/snort_dynamicrules
>>>>>> Loading all dynamic preprocessor libs from
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>>>>>  Finished Loading all dynamic preprocessor libs from
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>>>> Log directory = /var/log/snort
>>>>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>>>>> normalizations disabled because not inlineWARNING: icmp4
>>>>>> normalizations disabled because not inlineWARNING: ip6 normalizations
>>>>>> disabled because not inlineWARNING: icmp6 normalizations disabled
>>>>>> because not inlineFrag3 global config:
>>>>>>    Max frags: 65536
>>>>>>    Fragment memory cap: 4194304 bytes
>>>>>> Frag3 engine config:
>>>>>>    Target-based policy: WINDOWS
>>>>>>    Fragment timeout: 180 seconds
>>>>>>    Fragment min_ttl:   1
>>>>>>    Fragment Problems: 1
>>>>>>    Overlap Limit:     10
>>>>>>    Min fragment Length:     100
>>>>>> Stream5 global config:
>>>>>>    Track TCP sessions: ACTIVE
>>>>>>    Max TCP sessions: 8192
>>>>>>    Memcap (for reassembly packet storage): 8388608
>>>>>>    Track UDP sessions: INACTIVE
>>>>>>    Track ICMP sessions: INACTIVE
>>>>>>    Log info if session memory consumption exceeds 1048576
>>>>>>    Send up to 0 active responses
>>>>>> Stream5 TCP Policy config:
>>>>>>    Reassembly Policy: WINDOWS
>>>>>>    Timeout: 180 seconds
>>>>>>    Limit on TCP Overlaps: 10
>>>>>>    Maximum number of bytes to queue per session: 1048576
>>>>>>    Maximum number of segs to queue per session: 2621
>>>>>>    Options:
>>>>>>        Require 3-Way Handshake: YES
>>>>>>        3-Way Handshake Timeout: 180
>>>>>>        Detect Anomalies: YES
>>>>>>    Reassembly Ports:
>>>>>>      21 client (Footprint)
>>>>>>      22 client (Footprint)
>>>>>>      23 client (Footprint)
>>>>>>      25 client (Footprint)
>>>>>>      42 client (Footprint)
>>>>>>      53 client (Footprint)
>>>>>>      79 client (Footprint)
>>>>>>      80 client (Footprint) server (Footprint)
>>>>>>      81 client (Footprint) server (Footprint)
>>>>>>      109 client (Footprint)
>>>>>>      110 client (Footprint)
>>>>>>      111 client (Footprint)
>>>>>>      113 client (Footprint)
>>>>>>      119 client (Footprint)
>>>>>>      135 client (Footprint)
>>>>>>      136 client (Footprint)
>>>>>>      137 client (Footprint)
>>>>>>      139 client (Footprint)
>>>>>>      143 client (Footprint)
>>>>>>      161 client (Footprint)
>>>>>> Stream5 UDP Policy config:
>>>>>>    Timeout: 180 seconds
>>>>>> HttpInspect Config:
>>>>>>    GLOBAL CONFIG
>>>>>>      Max Pipeline Requests:    0
>>>>>>      Inspection Type:          STATELESS
>>>>>>      Detect Proxy Usage:       NO
>>>>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>>>>      IIS Unicode Map Codepage: 1252
>>>>>>      Max Gzip Memory: 838860
>>>>>>      Max Gzip Sessions: 6
>>>>>>      Gzip Compress Depth: 65535
>>>>>>      Gzip Decompress Depth: 65535
>>>>>>    DEFAULT SERVER CONFIG:
>>>>>>      Server profile: All
>>>>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>>>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>>>>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>>>>      Server Flow Depth: 0
>>>>>>      Client Flow Depth: 0
>>>>>>      Max Chunk Length: 500000
>>>>>>      Max Header Field Length: 750
>>>>>>      Max Number Header Fields: 100
>>>>>>      Inspect Pipeline Requests: YES
>>>>>>      URI Discovery Strict Mode: NO
>>>>>>      Allow Proxy Usage: NO
>>>>>>      Disable Alerting: NO
>>>>>>      Oversize Dir Length: 500
>>>>>>      Only inspect URI: NO
>>>>>>      Normalize HTTP Headers: NO
>>>>>>      Inspect HTTP Cookies: YES
>>>>>>      Inspect HTTP Responses: YES
>>>>>>      Extract Gzip from responses: YES
>>>>>>      Unlimited decompression of gzip data from responses: YES
>>>>>>      Normalize HTTP Cookies: NO
>>>>>>      Enable XFF and True Client IP: NO
>>>>>>      Extended ASCII code support in URI: NO
>>>>>>      Ascii: YES alert: NO
>>>>>>      Double Decoding: YES alert: NO
>>>>>>      %U Encoding: YES alert: YES
>>>>>>      Bare Byte: YES alert: NO
>>>>>>      Base36: OFF
>>>>>>      UTF 8: YES alert: NO
>>>>>>      IIS Unicode: YES alert: NO
>>>>>>      Multiple Slash: YES alert: NO
>>>>>>      IIS Backslash: YES alert: NO
>>>>>>      Directory Traversal: YES alert: NO
>>>>>>      Web Root Traversal: YES alert: NO
>>>>>>      Apache WhiteSpace: YES alert: NO
>>>>>>      IIS Delimiter: YES alert: NO
>>>>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>>>>> rpc_decode arguments:
>>>>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>>>>> 32776 32777 32778 32779
>>>>>>    alert_fragments: INACTIVE
>>>>>>    alert_large_fragments: INACTIVE
>>>>>>    alert_incomplete: INACTIVE
>>>>>>    alert_multiple_requests: INACTIVE
>>>>>> Segmentation fault: 11 (core dumped)
>>>>>> su-3.2#
>>>>>> 
>>>>>> 
>>>>>> On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus at ...11827...> wrote:
>>>>>>> sorry pressed send before completing email...
>>>>>>> 
>>>>>>> so i recompiled it with --enable-debug how do you want me to re-run it?
>>>>>>> 
>>>>>>> I think some rules screwing it up, because when I run it as snort -Ds
>>>>>>> it runs by itself...
>>>>>>> 
>>>>>>> On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>> yes it happened right on the start up...
>>>>>>>> 
>>>>>>>> this is me doing uninstall...
>>>>>>>> 
>>>>>>>> su-3.2# make uninstall
>>>>>>>> Making uninstall in src
>>>>>>>> Making uninstall in sfutil
>>>>>>>> Making uninstall in win32
>>>>>>>> Making uninstall in output-plugins
>>>>>>>> Making uninstall in detection-plugins
>>>>>>>> Making uninstall in dynamic-plugins
>>>>>>>> Making uninstall in sf_engine
>>>>>>>> Making uninstall in examples
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicengine/libsf_engine.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.la
>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so.0
>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>>>>> Making uninstall in sf_preproc_example
>>>>>>>> Making uninstall in preprocessors
>>>>>>>> Making uninstall in HttpInspect
>>>>>>>> Making uninstall in include
>>>>>>>> Making uninstall in utils
>>>>>>>> Making uninstall in user_interface
>>>>>>>> Making uninstall in session_inspection
>>>>>>>> Making uninstall in mode_inspection
>>>>>>>> Making uninstall in anomaly_detection
>>>>>>>> Making uninstall in event_output
>>>>>>>> Making uninstall in server
>>>>>>>> Making uninstall in client
>>>>>>>> Making uninstall in normalization
>>>>>>>> Making uninstall in Stream5
>>>>>>>> Making uninstall in parser
>>>>>>>> Making uninstall in dynamic-preprocessors
>>>>>>>> Making uninstall in libs
>>>>>>>> Making uninstall in ftptelnet
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>>>>> Making uninstall in smtp
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>>>>> Making uninstall in ssh
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>>>>> Making uninstall in dns
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>>>>> Making uninstall in ssl
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>>>>> Making uninstall in dcerpc2
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>>>>> Making uninstall in sdf
>>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
>>>>>>>> libtool: uninstall: rm -f
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>>>>> -f: not found
>>>>>>>> *** Error code 127
>>>>>>>> 
>>>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>>>>> *** Error code 1
>>>>>>>> 
>>>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>>>>> *** Error code 1
>>>>>>>> 
>>>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src.
>>>>>>>> *** Error code 1
>>>>>>>> 
>>>>>>>> Stop in /usr/local/src/snort-2.9.0.5.
>>>>>>>> su-3.2#
>>>>>>>> 
>>>>>>>> and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)
>>>>>>>> 
>>>>>>>> On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
>>>>>>>>> Is that happening on start up?  Might try make uninstall and then make
>>>>>>>>> install.  If it still happens, then make clean, ./configure with prior
>>>>>>>>> options plus --enable-debug and rerun in the debugger and send a backtrace.
>>>>>>>>> 
>>>>>>>>> You can check here for more information on that:
>>>>>>>>> 
>>>>>>>>> http://www.snort.org/snort-downloads/submit-a-bug
>>>>>>>>> 
>>>>>>>>> and as that says, in the doc/BUGS file in the source tree.
>>>>>>>>> 
>>>>>>>>> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>> 
>>>>>>>>>> I took from begging of snort.conf
>>>>>>>>>> 
>>>>>>>>>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>>>>>>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>>> 
>>>>>>>>>> and I recompiled my snort with all these options, which includes zlib
>>>>>>>>>> 
>>>>>>>>>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>>>>>>>>>>> you need to build snort with --enable-zlib for that one
>>>>>>>>>>> 
>>>>>>>>>>> On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> also if I take a snort.conf that came with distro (2.9.0.5)
>>>>>>>>>>>> 
>>>>>>>>>>>> snort stops on following
>>>>>>>>>>>> 
>>>>>>>>>>>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>>>>>>>>>>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>>>>>>>>>>> 'global' configuration.
>>>>>>>>>>>> 
>>>>>>>>>>>> when I tried with snort.conf that came with rules I've got same message
>>>>>>>>>>>> 
>>>>>>>>>>>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>>>>>>>>>>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>>>>>>>>>>> 'global' configuration.
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>> I have following in my snort.conf (top section)
>>>>>>>>>>>>> 
>>>>>>>>>>>>> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>>>>>>>>>>>> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I went ahead and recompile it with all that yet I still get same
>>>>>>>>>>>>> results
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...14182.....>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> Look at the top of the snort.conf file. You should see our
>>>>>>>>>>>>>> recommended
>>>>>>>>>>>>>> compile options.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>>> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Anything specific ?
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>>>>>>>>>>>>>> Sounds like you may need to take a look at our recommended compile
>>>>>>>>>>>>>>> options
>>>>>>>>>>>>>>> at the top of the snort.conf in the etc/ directory.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Check that out.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> ok, done
>>>>>>>>>>>>>>>> i dont have ipv6 enabled on my system so you were right as soon as
>>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>>> changed ipvar to var it went through that
>>>>>>>>>>>>>>>> but it complain on something else...
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>>>>>>>>>>>>>> "/usr/local/etc/snort.conf"
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>>>>>>>>>>>>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>>>>>>>>>>>>>>>> 8080
>>>>>>>>>>>>>>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>>>>>>>>>>>>>>>> :
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>>>>>>>>>>>>>>> enabled
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>>>>>>>>>>>>>>>> libs
>>>>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicrules...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>>>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>>>>>>>>>>>>>>> libs
>>>>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>>>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>>>>>>>>>>>>>>>> bytes
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>>>>>>>>>>>>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>>>>>>>>>>>>>> (max_active_responses 2)
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> # Target-Based stateful inspection/stream reassembly. For more
>>>>>>>>>>>>>>>> inforation, see README.stream5
>>>>>>>>>>>>>>>> preprocessor stream5_global: track_tcp yes, \
>>>>>>>>>>>>>>>> track_udp yes, \
>>>>>>>>>>>>>>>> track_icmp no, \
>>>>>>>>>>>>>>>> max_tcp 262144, \
>>>>>>>>>>>>>>>> max_udp 131072, \
>>>>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> for whatever reason(s) now it doesnt like this line:
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> or according to syslog line
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>>>>>>>>>>>>>>> <wkitty42 at ...14940...>
>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>> On 8/15/2011 17:15, alexus wrote:
>>>>>>>>>>>>>>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>> I dont understand why it's complaining ...
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>>> snort
>>>>>>>>>>>>>>>>> compile, it won't work... use var instead of ipvar...
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and
>>>>>>>>>>>>>>>>> get a
>>>>>>>>>>>>>>>>> free
>>>>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> free
>>>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> --
>>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> --
>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>>>>>> configuration take the hassle out of deploying and managing Subversion
>>>>>>>>>>>> and
>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>>>>>>>>>> free
>>>>>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>> 
>>>>>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>>>>>>>> Snort
>>>>>>>>>>>> news!
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> http://alexus.org/
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>>>> configuration take the hassle out of deploying and managing Subversion and
>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Snort-users mailing list
>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>> Snort-users list archive:
>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>> 
>>>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>>>>>>>> news!
>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> --
>>>>>>>> http://alexus.org/
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> http://alexus.org/
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> http://alexus.org/
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> http://alexus.org/
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>>>>> user administration capabilities and model configuration. Take
>>>>> the hassle out of deploying and managing Subversion and the
>>>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> http://alexus.org/
>>> <snort.conf>
>> 
>> 
> 
> 
> 
> -- 
> http://alexus.org/





More information about the Snort-users mailing list