[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Thu Aug 18 12:13:53 EDT 2011


I download 2.8.6.1

su-3.2# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

su-3.2#

download ruleset for 2.8 and same thing... (it CRUSHES!!!)

su-3.2# snort -c /usr/local/etc/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
  Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
done
  Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
Segmentation fault: 11 (core dumped)
su-3.2#





On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 8/17/2011 11:07, alexus wrote:
>> it seems like it's failing on part #5 (preprocessors(rpc_decode))
>>
>>
>> su-3.2# snort -sc /usr/local/etc/snort.conf
>> Running in IDS mode
>>
>>          --== Initializing Snort ==--
> [TRIM]
>> rpc_decode arguments:
>>      Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>> 32776 32777 32778 32779
>>      alert_fragments: INACTIVE
>>      alert_large_fragments: INACTIVE
>>      alert_incomplete: INACTIVE
>>      alert_multiple_requests: INACTIVE
>> Segmentation fault: 11 (core dumped)
>> su-3.2#
>
> in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line is the loading
> of the Portscan Detection Config... it is immediately after the
> alert_multiple_requests line... then i have the following sections...
>
>  FTPTelnet Config
>  SMTP Config
>  SSH Config
>  DCE/RPC 2 Preprocessor Configuration
>  DNS Configuration
>  SSLPP config
>  Initializing rule chains...
>
> maybe this helps somewhat?
>
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
> user administration capabilities and model configuration. Take
> the hassle out of deploying and managing Subversion and the
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>



-- 
http://alexus.org/




More information about the Snort-users mailing list