[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 16 18:41:45 EDT 2011


su-3.2# file /usr/local/bin/snort
/usr/local/bin/snort: ELF 64-bit LSB executable, x86-64, version 1
(FreeBSD), for FreeBSD 7.4, dynamically linked (uses shared libs),
FreeBSD-style, not stripped
su-3.2# uname -a
FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
17:48:16 UTC 2011
alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64
su-3.2#

once again snort itself works its rules that makes it crash right
away, if i dont use that snort.conf snort runs by itself no problem

On Tue, Aug 16, 2011 at 5:41 PM, Joel Esler <jesler at ...1935...> wrote:
> Are you using 32 bit SO rules on a 64 bit platform?  Or Vice versa?
>
> Joel
>
> On Aug 16, 2011, at 5:02 PM, alexus wrote:
>
>> file came from snortrules that I pulled yesterday, plus I've made
>> small modifications for HOMENET and some ports that applys for my
>> system
>>
>> my system is:
>>
>> FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
>> 17:48:16 UTC 2011
>> alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64
>>
>> snort.conf is attached
>>
>>
>> On Tue, Aug 16, 2011 at 4:59 PM, Joel Esler <jesler at ...1935...> wrote:
>>> Can you provide your snort.conf file and OS version for us?
>>>
>>> Joel
>>>
>>> On Aug 16, 2011, at 4:50 PM, alexus wrote:
>>>
>>>> so should I be using another set of rules? to get this thing going?
>>>>
>>>> On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus at ...11827...> wrote:
>>>>> if that's helpful
>>>>>
>>>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>>>> Running in IDS mode
>>>>>
>>>>>        --== Initializing Snort ==--
>>>>> Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> Initializing Plug-ins!
>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>>>>> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
>>>>> 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>>>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>>>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>>>>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>>>>> Detection:
>>>>>   Search-Method = AC-Full-Q
>>>>>    Split Any/Any group = enabled
>>>>>    Search-Method-Optimizations = enabled
>>>>>    Maximum pattern length = 20
>>>>> Tagged Packet Limit: 256
>>>>> Loading dynamic engine
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>>>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>>  Loading dynamic detection library
>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>> done
>>>>>  Finished Loading all dynamic detection libs from
>>>>> /usr/local/lib/snort_dynamicrules
>>>>> Loading all dynamic preprocessor libs from
>>>>> /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>>>>  Finished Loading all dynamic preprocessor libs from
>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>>> Log directory = /var/log/snort
>>>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>>>> normalizations disabled because not inlineWARNING: icmp4
>>>>> normalizations disabled because not inlineWARNING: ip6 normalizations
>>>>> disabled because not inlineWARNING: icmp6 normalizations disabled
>>>>> because not inlineFrag3 global config:
>>>>>    Max frags: 65536
>>>>>    Fragment memory cap: 4194304 bytes
>>>>> Frag3 engine config:
>>>>>    Target-based policy: WINDOWS
>>>>>    Fragment timeout: 180 seconds
>>>>>    Fragment min_ttl:   1
>>>>>    Fragment Problems: 1
>>>>>    Overlap Limit:     10
>>>>>    Min fragment Length:     100
>>>>> Stream5 global config:
>>>>>    Track TCP sessions: ACTIVE
>>>>>    Max TCP sessions: 8192
>>>>>    Memcap (for reassembly packet storage): 8388608
>>>>>    Track UDP sessions: INACTIVE
>>>>>    Track ICMP sessions: INACTIVE
>>>>>    Log info if session memory consumption exceeds 1048576
>>>>>    Send up to 0 active responses
>>>>> Stream5 TCP Policy config:
>>>>>    Reassembly Policy: WINDOWS
>>>>>    Timeout: 180 seconds
>>>>>    Limit on TCP Overlaps: 10
>>>>>    Maximum number of bytes to queue per session: 1048576
>>>>>    Maximum number of segs to queue per session: 2621
>>>>>    Options:
>>>>>        Require 3-Way Handshake: YES
>>>>>        3-Way Handshake Timeout: 180
>>>>>        Detect Anomalies: YES
>>>>>    Reassembly Ports:
>>>>>      21 client (Footprint)
>>>>>      22 client (Footprint)
>>>>>      23 client (Footprint)
>>>>>      25 client (Footprint)
>>>>>      42 client (Footprint)
>>>>>      53 client (Footprint)
>>>>>      79 client (Footprint)
>>>>>      80 client (Footprint) server (Footprint)
>>>>>      81 client (Footprint) server (Footprint)
>>>>>      109 client (Footprint)
>>>>>      110 client (Footprint)
>>>>>      111 client (Footprint)
>>>>>      113 client (Footprint)
>>>>>      119 client (Footprint)
>>>>>      135 client (Footprint)
>>>>>      136 client (Footprint)
>>>>>      137 client (Footprint)
>>>>>      139 client (Footprint)
>>>>>      143 client (Footprint)
>>>>>      161 client (Footprint)
>>>>> Stream5 UDP Policy config:
>>>>>    Timeout: 180 seconds
>>>>> HttpInspect Config:
>>>>>    GLOBAL CONFIG
>>>>>      Max Pipeline Requests:    0
>>>>>      Inspection Type:          STATELESS
>>>>>      Detect Proxy Usage:       NO
>>>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>>>      IIS Unicode Map Codepage: 1252
>>>>>      Max Gzip Memory: 838860
>>>>>      Max Gzip Sessions: 6
>>>>>      Gzip Compress Depth: 65535
>>>>>      Gzip Decompress Depth: 65535
>>>>>    DEFAULT SERVER CONFIG:
>>>>>      Server profile: All
>>>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>>>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>>>      Server Flow Depth: 0
>>>>>      Client Flow Depth: 0
>>>>>      Max Chunk Length: 500000
>>>>>      Max Header Field Length: 750
>>>>>      Max Number Header Fields: 100
>>>>>      Inspect Pipeline Requests: YES
>>>>>      URI Discovery Strict Mode: NO
>>>>>      Allow Proxy Usage: NO
>>>>>      Disable Alerting: NO
>>>>>      Oversize Dir Length: 500
>>>>>      Only inspect URI: NO
>>>>>      Normalize HTTP Headers: NO
>>>>>      Inspect HTTP Cookies: YES
>>>>>      Inspect HTTP Responses: YES
>>>>>      Extract Gzip from responses: YES
>>>>>      Unlimited decompression of gzip data from responses: YES
>>>>>      Normalize HTTP Cookies: NO
>>>>>      Enable XFF and True Client IP: NO
>>>>>      Extended ASCII code support in URI: NO
>>>>>      Ascii: YES alert: NO
>>>>>      Double Decoding: YES alert: NO
>>>>>      %U Encoding: YES alert: YES
>>>>>      Bare Byte: YES alert: NO
>>>>>      Base36: OFF
>>>>>      UTF 8: YES alert: NO
>>>>>      IIS Unicode: YES alert: NO
>>>>>      Multiple Slash: YES alert: NO
>>>>>      IIS Backslash: YES alert: NO
>>>>>      Directory Traversal: YES alert: NO
>>>>>      Web Root Traversal: YES alert: NO
>>>>>      Apache WhiteSpace: YES alert: NO
>>>>>      IIS Delimiter: YES alert: NO
>>>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>>>> rpc_decode arguments:
>>>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>>>> 32776 32777 32778 32779
>>>>>    alert_fragments: INACTIVE
>>>>>    alert_large_fragments: INACTIVE
>>>>>    alert_incomplete: INACTIVE
>>>>>    alert_multiple_requests: INACTIVE
>>>>> Segmentation fault: 11 (core dumped)
>>>>> su-3.2#
>>>>>
>>>>>
>>>>> On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus at ...11827...> wrote:
>>>>>> sorry pressed send before completing email...
>>>>>>
>>>>>> so i recompiled it with --enable-debug how do you want me to re-run it?
>>>>>>
>>>>>> I think some rules screwing it up, because when I run it as snort -Ds
>>>>>> it runs by itself...
>>>>>>
>>>>>> On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus at ...11827...> wrote:
>>>>>>> yes it happened right on the start up...
>>>>>>>
>>>>>>> this is me doing uninstall...
>>>>>>>
>>>>>>> su-3.2# make uninstall
>>>>>>> Making uninstall in src
>>>>>>> Making uninstall in sfutil
>>>>>>> Making uninstall in win32
>>>>>>> Making uninstall in output-plugins
>>>>>>> Making uninstall in detection-plugins
>>>>>>> Making uninstall in dynamic-plugins
>>>>>>> Making uninstall in sf_engine
>>>>>>> Making uninstall in examples
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicengine/libsf_engine.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.la
>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so.0
>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>>>> Making uninstall in sf_preproc_example
>>>>>>> Making uninstall in preprocessors
>>>>>>> Making uninstall in HttpInspect
>>>>>>> Making uninstall in include
>>>>>>> Making uninstall in utils
>>>>>>> Making uninstall in user_interface
>>>>>>> Making uninstall in session_inspection
>>>>>>> Making uninstall in mode_inspection
>>>>>>> Making uninstall in anomaly_detection
>>>>>>> Making uninstall in event_output
>>>>>>> Making uninstall in server
>>>>>>> Making uninstall in client
>>>>>>> Making uninstall in normalization
>>>>>>> Making uninstall in Stream5
>>>>>>> Making uninstall in parser
>>>>>>> Making uninstall in dynamic-preprocessors
>>>>>>> Making uninstall in libs
>>>>>>> Making uninstall in ftptelnet
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
>>>>>>> Making uninstall in smtp
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
>>>>>>> Making uninstall in ssh
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
>>>>>>> Making uninstall in dns
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
>>>>>>> Making uninstall in ssl
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>>>>>>> Making uninstall in dcerpc2
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
>>>>>>> Making uninstall in sdf
>>>>>>>  /bin/sh ../../../libtool   --mode=uninstall rm -f
>>>>>>> '/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
>>>>>>> libtool: uninstall: rm -f
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
>>>>>>> -f: not found
>>>>>>> *** Error code 127
>>>>>>>
>>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>>>> *** Error code 1
>>>>>>>
>>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
>>>>>>> *** Error code 1
>>>>>>>
>>>>>>> Stop in /usr/local/src/snort-2.9.0.5/src.
>>>>>>> *** Error code 1
>>>>>>>
>>>>>>> Stop in /usr/local/src/snort-2.9.0.5.
>>>>>>> su-3.2#
>>>>>>>
>>>>>>> and after re-making it, I'm getting same Segmentation fault: 11 (core dumped)
>>>>>>>
>>>>>>> On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs <rcombs at ...1935...> wrote:
>>>>>>>> Is that happening on start up?  Might try make uninstall and then make
>>>>>>>> install.  If it still happens, then make clean, ./configure with prior
>>>>>>>> options plus --enable-debug and rerun in the debugger and send a backtrace.
>>>>>>>>
>>>>>>>> You can check here for more information on that:
>>>>>>>>
>>>>>>>> http://www.snort.org/snort-downloads/submit-a-bug
>>>>>>>>
>>>>>>>> and as that says, in the doc/BUGS file in the source tree.
>>>>>>>>
>>>>>>>> On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>
>>>>>>>>> I took from begging of snort.conf
>>>>>>>>>
>>>>>>>>> --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
>>>>>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>>
>>>>>>>>> and I recompiled my snort with all these options, which includes zlib
>>>>>>>>>
>>>>>>>>> On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj at ...11827...> wrote:
>>>>>>>>>> you need to build snort with --enable-zlib for that one
>>>>>>>>>>
>>>>>>>>>> On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>
>>>>>>>>>>> also if I take a snort.conf that came with distro (2.9.0.5)
>>>>>>>>>>>
>>>>>>>>>>> snort stops on following
>>>>>>>>>>>
>>>>>>>>>>> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
>>>>>>>>>>> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
>>>>>>>>>>> 'global' configuration.
>>>>>>>>>>>
>>>>>>>>>>> when I tried with snort.conf that came with rules I've got same message
>>>>>>>>>>>
>>>>>>>>>>> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
>>>>>>>>>>> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
>>>>>>>>>>> 'global' configuration.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>> I have following in my snort.conf (top section)
>>>>>>>>>>>>
>>>>>>>>>>>> #     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
>>>>>>>>>>>> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>>>>>>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>>>>>>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>>>>>>>>>>
>>>>>>>>>>>> I went ahead and recompile it with all that yet I still get same
>>>>>>>>>>>> results
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler at ...14281....>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> Look at the top of the snort.conf file. You should see our
>>>>>>>>>>>>> recommended
>>>>>>>>>>>>> compile options.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>> On Aug 15, 2011, at 21:32, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Anything specific ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler at ...1935...> wrote:
>>>>>>>>>>>>>> Sounds like you may need to take a look at our recommended compile
>>>>>>>>>>>>>> options
>>>>>>>>>>>>>> at the top of the snort.conf in the etc/ directory.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Check that out.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Aug 15, 2011, at 20:20, alexus <alexus at ...11827...> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ok, done
>>>>>>>>>>>>>>> i dont have ipv6 enabled on my system so you were right as soon as
>>>>>>>>>>>>>>> i
>>>>>>>>>>>>>>> changed ipvar to var it went through that
>>>>>>>>>>>>>>> but it complain on something else...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
>>>>>>>>>>>>>>> "/usr/local/etc/snort.conf"
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
>>>>>>>>>>>>>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028
>>>>>>>>>>>>>>> 8080
>>>>>>>>>>>>>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371
>>>>>>>>>>>>>>> ]
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined
>>>>>>>>>>>>>>> :
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Detection:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
>>>>>>>>>>>>>>> enabled
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection
>>>>>>>>>>>>>>> libs
>>>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicrules...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>>>> detection libs from /usr/local/lib/snort_dynamicrules
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
>>>>>>>>>>>>>>> libs
>>>>>>>>>>>>>>> from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
>>>>>>>>>>>>>>> library
>>>>>>>>>>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: done
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
>>>>>>>>>>>>>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304
>>>>>>>>>>>>>>> bytes
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
>>>>>>>>>>>>>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
>>>>>>>>>>>>>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
>>>>>>>>>>>>>>> (max_active_responses 2)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # Target-Based stateful inspection/stream reassembly. For more
>>>>>>>>>>>>>>> inforation, see README.stream5
>>>>>>>>>>>>>>> preprocessor stream5_global: track_tcp yes, \
>>>>>>>>>>>>>>> track_udp yes, \
>>>>>>>>>>>>>>> track_icmp no, \
>>>>>>>>>>>>>>> max_tcp 262144, \
>>>>>>>>>>>>>>> max_udp 131072, \
>>>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> for whatever reason(s) now it doesnt like this line:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> min_response_seconds 5
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> or according to syslog line
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> max_active_responses 2, \
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
>>>>>>>>>>>>>>> <wkitty42 at ...14940...>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>> On 8/15/2011 17:15, alexus wrote:
>>>>>>>>>>>>>>>>> line 45 of /usr/local/etc/snort.conf states:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ipvar HOME_NET [64.237.55.65/27]
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I dont understand why it's complaining ...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled
>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>> your
>>>>>>>>>>>>>>>> snort
>>>>>>>>>>>>>>>> compile, it won't work... use var instead of ipvar...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and
>>>>>>>>>>>>>>>> get a
>>>>>>>>>>>>>>>> free
>>>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>>>>> uberSVN's rich system and user administration capabilities and
>>>>>>>>>>>>>>> model
>>>>>>>>>>>>>>> configuration take the hassle out of deploying and managing
>>>>>>>>>>>>>>> Subversion
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> free
>>>>>>>>>>>>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please see http://www.snort.org/docs for documentation
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> http://alexus.org/
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>>>>> configuration take the hassle out of deploying and managing Subversion
>>>>>>>>>>> and
>>>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a
>>>>>>>>>>> free
>>>>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>> Snort-users list archive:
>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>
>>>>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>>>>>>>> Snort
>>>>>>>>>>> news!
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> http://alexus.org/
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>> uberSVN's rich system and user administration capabilities and model
>>>>>>>>> configuration take the hassle out of deploying and managing Subversion and
>>>>>>>>> the tools developers use with it. Learn more about uberSVN and get a free
>>>>>>>>> download at:  http://p.sf.net/sfu/wandisco-dev2dev
>>>>>>>>> _______________________________________________
>>>>>>>>> Snort-users mailing list
>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>> Snort-users list archive:
>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>
>>>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>>>>>>>> news!
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://alexus.org/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://alexus.org/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://alexus.org/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://alexus.org/
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>>>> user administration capabilities and model configuration. Take
>>>> the hassle out of deploying and managing Subversion and the
>>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>>
>>
>>
>>
>> --
>> http://alexus.org/
>> <snort.conf>
>
>



-- 
http://alexus.org/




More information about the Snort-users mailing list