[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Mon Aug 22 19:57:50 EDT 2011


guys, please help

su-3.2# md5 snort-2.9.0.5.tar.gz
MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355
su-3.2# grep './configure' config.log
  $ ./configure --enable-ipv6 --enable-gre --enable-mpls
--enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-zlib --enable-active-response
--enable-normalizer --enable-reload --enable-react --enable-flexresp3
su-3.2# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.2.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

su-3.2# md5 snortrules-snapshot-2905.tar.gz
MD5 (snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff
su-3.2# md5 ../snortrules-snapshot-2905.tar.gz
MD5 (../snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff
su-3.2# snort -c /usr/local/etc/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: parser.c(5245) Could not stat dynamic module path
"/usr/local/lib/snort_dynamicrules": No such file or directory.
Fatal Error, Quitting..
su-3.2# ls -dl /usr/local/lib/snort_dynamic*
drwxr-xr-x  2 root  wheel   512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine
drwxr-xr-x  2 root  wheel  1536 Aug 22 23:50
/usr/local/lib/snort_dynamicpreprocessor
su-3.2#

where are those "snort_dynamicrules" comes from?
what am I missing?



On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus at ...11827...> wrote:
> I download 2.8.6.1
>
> su-3.2# snort -V
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
>   ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>           Using PCRE version: 7.8 2008-09-05
>           Using ZLIB version: 1.2.3
>
> su-3.2#
>
> download ruleset for 2.8 and same thing... (it CRUSHES!!!)
>
> su-3.2# snort -c /usr/local/etc/snort.conf
> Running in IDS mode
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/usr/local/etc/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
> PortVar 'FTP_PORTS' defined :  [ 20:21 ]
> Detection:
>   Search-Method = AC-Full-Q
>    Split Any/Any group = enabled
>    Search-Method-Optimizations = enabled
>    Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>  Loading dynamic detection library
> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> done
>  Finished Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>  Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> Segmentation fault: 11 (core dumped)
> su-3.2#
>
>
>
>
>
> On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> On 8/17/2011 11:07, alexus wrote:
>>> it seems like it's failing on part #5 (preprocessors(rpc_decode))
>>>
>>>
>>> su-3.2# snort -sc /usr/local/etc/snort.conf
>>> Running in IDS mode
>>>
>>>          --== Initializing Snort ==--
>> [TRIM]
>>> rpc_decode arguments:
>>>      Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>> 32776 32777 32778 32779
>>>      alert_fragments: INACTIVE
>>>      alert_large_fragments: INACTIVE
>>>      alert_incomplete: INACTIVE
>>>      alert_multiple_requests: INACTIVE
>>> Segmentation fault: 11 (core dumped)
>>> su-3.2#
>>
>> in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line is the loading
>> of the Portscan Detection Config... it is immediately after the
>> alert_multiple_requests line... then i have the following sections...
>>
>>  FTPTelnet Config
>>  SMTP Config
>>  SSH Config
>>  DCE/RPC 2 Preprocessor Configuration
>>  DNS Configuration
>>  SSLPP config
>>  Initializing rule chains...
>>
>> maybe this helps somewhat?
>>
>> ------------------------------------------------------------------------------
>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>> user administration capabilities and model configuration. Take
>> the hassle out of deploying and managing Subversion and the
>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>
>
>
> --
> http://alexus.org/
>



-- 
http://alexus.org/




More information about the Snort-users mailing list