[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Mon Aug 22 21:50:56 EDT 2011


Alexus, 

I understand the difficulty you must be going through, and I'll give you one more branch of assistance, however, I suggest you check out the Snort Manual:  http://manual.snort.org.  We can't step you through every single line that is causing an error.

This error means you are running the wrong version of Dynamic preprocessors with a differing version of Snort.

Snort 2.9.1 will come out this week, I suggest you remove the installation of Snort you have now, and the items in those directories, and go with a fresh install of Snort 2.9.1

Joel

On Aug 22, 2011, at 9:47 PM, alexus wrote:

> directory is already there... i created it
> 
> here is my new output
> 
> su-3.2# snort -c /usr/local/etc/snort.conf
> Running in IDS mode
> 
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/usr/local/etc/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
> PortVar 'FTP_PORTS' defined :  [ 20:21 ]
> Detection:
>   Search-Method = AC-Full-Q
>    Split Any/Any group = enabled
>    Search-Method-Optimizations = enabled
>    Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
> Warning: No dynamic libraries found in directory
> /usr/local/lib/snort_dynamicrules!
>  Finished Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> done
>  Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
> normalizations disabled because not inlineWARNING: icmp4
> normalizations disabled because not inlineWARNING: ip6 normalizations
> disabled because not inlineWARNING: icmp6 normalizations disabled
> because not inlineFrag3 global config:
>    Max frags: 65536
>    Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>    Target-based policy: WINDOWS
>    Fragment timeout: 180 seconds
>    Fragment min_ttl:   1
>    Fragment Problems: 1
>    Overlap Limit:     10
>    Min fragment Length:     100
> Stream5 global config:
>    Track TCP sessions: ACTIVE
>    Max TCP sessions: 262144
>    Memcap (for reassembly packet storage): 8388608
>    Track UDP sessions: ACTIVE
>    Max UDP sessions: 131072
>    Track ICMP sessions: INACTIVE
>    Log info if session memory consumption exceeds 1048576
>    Send up to 2 active responses
>    Wait at least 5 seconds between responses
> Stream5 TCP Policy config:
>    Reassembly Policy: WINDOWS
>    Timeout: 180 seconds
>    Limit on TCP Overlaps: 10
>    Maximum number of bytes to queue per session: 1048576
>    Maximum number of segs to queue per session: 2621
>    Options:
>        Require 3-Way Handshake: YES
>        3-Way Handshake Timeout: 180
>        Detect Anomalies: YES
>    Reassembly Ports:
>      21 client (Footprint)
>      22 client (Footprint)
>      23 client (Footprint)
>      25 client (Footprint)
>      42 client (Footprint)
>      53 client (Footprint)
>      79 client (Footprint)
>      80 client (Footprint) server (Footprint)
>      81 client (Footprint) server (Footprint)
>      109 client (Footprint)
>      110 client (Footprint)
>      111 client (Footprint)
>      113 client (Footprint)
>      119 client (Footprint)
>      135 client (Footprint)
>      136 client (Footprint)
>      137 client (Footprint)
>      139 client (Footprint)
>      143 client (Footprint)
>      161 client (Footprint)
> Stream5 UDP Policy config:
>    Timeout: 180 seconds
> HttpInspect Config:
>    GLOBAL CONFIG
>      Max Pipeline Requests:    0
>      Inspection Type:          STATELESS
>      Detect Proxy Usage:       NO
>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>      IIS Unicode Map Codepage: 1252
>      Max Gzip Memory: 838860
>      Max Gzip Sessions: 6
>      Gzip Compress Depth: 65535
>      Gzip Decompress Depth: 65535
>    DEFAULT SERVER CONFIG:
>      Server profile: All
>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
> 8243 8280 8888 9090 9091 9443 9999 11371
>      Server Flow Depth: 0
>      Client Flow Depth: 0
>      Max Chunk Length: 500000
>      Max Header Field Length: 750
>      Max Number Header Fields: 100
>      Inspect Pipeline Requests: YES
>      URI Discovery Strict Mode: NO
>      Allow Proxy Usage: NO
>      Disable Alerting: NO
>      Oversize Dir Length: 500
>      Only inspect URI: NO
>      Normalize HTTP Headers: NO
>      Inspect HTTP Cookies: YES
>      Inspect HTTP Responses: YES
>      Extract Gzip from responses: YES
>      Unlimited decompression of gzip data from responses: YES
>      Normalize HTTP Cookies: NO
>      Enable XFF and True Client IP: NO
>      Extended ASCII code support in URI: NO
>      Ascii: YES alert: NO
>      Double Decoding: YES alert: NO
>      %U Encoding: YES alert: YES
>      Bare Byte: YES alert: NO
>      Base36: OFF
>      UTF 8: YES alert: NO
>      IIS Unicode: YES alert: NO
>      Multiple Slash: YES alert: NO
>      IIS Backslash: YES alert: NO
>      Directory Traversal: YES alert: NO
>      Web Root Traversal: YES alert: NO
>      Apache WhiteSpace: YES alert: NO
>      IIS Delimiter: YES alert: NO
>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
> 32776 32777 32778 32779
>    alert_fragments: INACTIVE
>    alert_large_fragments: INACTIVE
>    alert_incomplete: INACTIVE
>    alert_multiple_requests: INACTIVE
> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
> version 1.1.5 (-1)
> Fatal Error, Quitting..
> su-3.2#
> 
> can someone explain me what this means? how do I get rid of it/fix it?
> 
> 
> On Mon, Aug 22, 2011 at 8:56 PM, Joel Esler <jesler at ...1935...> wrote:
>> I recommend the use of pulledpork to be able to manage your Snort rules and place the Shared Object rules that exist in the correct directory.
>> 
>> First, start by creating that directory.
>> 
>> Joel
>> 
>> On Aug 22, 2011, at 8:17 PM, alexus wrote:
>> 
>>> i created that directory so now new output
>>> 
>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>> Running in IDS mode
>>> 
>>>        --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>> PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
>>> PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>> Detection:
>>>   Search-Method = AC-Full-Q
>>>    Split Any/Any group = enabled
>>>    Search-Method-Optimizations = enabled
>>>    Maximum pattern length = 20
>>> Tagged Packet Limit: 256
>>> Loading dynamic engine
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>> Warning: No dynamic libraries found in directory
>>> /usr/local/lib/snort_dynamicrules!
>>>  Finished Loading all dynamic detection libs from
>>> /usr/local/lib/snort_dynamicrules
>>> Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort_dynamicpreprocessor/...
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>> done
>>>  Finished Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort_dynamicpreprocessor/
>>> Log directory = /var/log/snort
>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>> normalizations disabled because not inlineWARNING: icmp4
>>> normalizations disabled because not inlineWARNING: ip6 normalizations
>>> disabled because not inlineWARNING: icmp6 normalizations disabled
>>> because not inlineFrag3 global config:
>>>    Max frags: 65536
>>>    Fragment memory cap: 4194304 bytes
>>> Frag3 engine config:
>>>    Target-based policy: WINDOWS
>>>    Fragment timeout: 180 seconds
>>>    Fragment min_ttl:   1
>>>    Fragment Problems: 1
>>>    Overlap Limit:     10
>>>    Min fragment Length:     100
>>> Stream5 global config:
>>>    Track TCP sessions: ACTIVE
>>>    Max TCP sessions: 262144
>>>    Memcap (for reassembly packet storage): 8388608
>>>    Track UDP sessions: ACTIVE
>>>    Max UDP sessions: 131072
>>>    Track ICMP sessions: INACTIVE
>>>    Log info if session memory consumption exceeds 1048576
>>>    Send up to 2 active responses
>>>    Wait at least 5 seconds between responses
>>> Stream5 TCP Policy config:
>>>    Reassembly Policy: WINDOWS
>>>    Timeout: 180 seconds
>>>    Limit on TCP Overlaps: 10
>>>    Maximum number of bytes to queue per session: 1048576
>>>    Maximum number of segs to queue per session: 2621
>>>    Options:
>>>        Require 3-Way Handshake: YES
>>>        3-Way Handshake Timeout: 180
>>>        Detect Anomalies: YES
>>>    Reassembly Ports:
>>>      21 client (Footprint)
>>>      22 client (Footprint)
>>>      23 client (Footprint)
>>>      25 client (Footprint)
>>>      42 client (Footprint)
>>>      53 client (Footprint)
>>>      79 client (Footprint)
>>>      80 client (Footprint) server (Footprint)
>>>      81 client (Footprint) server (Footprint)
>>>      109 client (Footprint)
>>>      110 client (Footprint)
>>>      111 client (Footprint)
>>>      113 client (Footprint)
>>>      119 client (Footprint)
>>>      135 client (Footprint)
>>>      136 client (Footprint)
>>>      137 client (Footprint)
>>>      139 client (Footprint)
>>>      143 client (Footprint)
>>>      161 client (Footprint)
>>> Stream5 UDP Policy config:
>>>    Timeout: 180 seconds
>>> HttpInspect Config:
>>>    GLOBAL CONFIG
>>>      Max Pipeline Requests:    0
>>>      Inspection Type:          STATELESS
>>>      Detect Proxy Usage:       NO
>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>      IIS Unicode Map Codepage: 1252
>>>      Max Gzip Memory: 838860
>>>      Max Gzip Sessions: 6
>>>      Gzip Compress Depth: 65535
>>>      Gzip Decompress Depth: 65535
>>>    DEFAULT SERVER CONFIG:
>>>      Server profile: All
>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>      Server Flow Depth: 0
>>>      Client Flow Depth: 0
>>>      Max Chunk Length: 500000
>>>      Max Header Field Length: 750
>>>      Max Number Header Fields: 100
>>>      Inspect Pipeline Requests: YES
>>>      URI Discovery Strict Mode: NO
>>>      Allow Proxy Usage: NO
>>>      Disable Alerting: NO
>>>      Oversize Dir Length: 500
>>>      Only inspect URI: NO
>>>      Normalize HTTP Headers: NO
>>>      Inspect HTTP Cookies: YES
>>>      Inspect HTTP Responses: YES
>>>      Extract Gzip from responses: YES
>>>      Unlimited decompression of gzip data from responses: YES
>>>      Normalize HTTP Cookies: NO
>>>      Enable XFF and True Client IP: NO
>>>      Extended ASCII code support in URI: NO
>>>      Ascii: YES alert: NO
>>>      Double Decoding: YES alert: NO
>>>      %U Encoding: YES alert: YES
>>>      Bare Byte: YES alert: NO
>>>      Base36: OFF
>>>      UTF 8: YES alert: NO
>>>      IIS Unicode: YES alert: NO
>>>      Multiple Slash: YES alert: NO
>>>      IIS Backslash: YES alert: NO
>>>      Directory Traversal: YES alert: NO
>>>      Web Root Traversal: YES alert: NO
>>>      Apache WhiteSpace: YES alert: NO
>>>      IIS Delimiter: YES alert: NO
>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>>> rpc_decode arguments:
>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>> 32776 32777 32778 32779
>>>    alert_fragments: INACTIVE
>>>    alert_large_fragments: INACTIVE
>>>    alert_incomplete: INACTIVE
>>>    alert_multiple_requests: INACTIVE
>>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
>>> version 1.1.5 (-1)
>>> Fatal Error, Quitting..
>>> su-3.2#
>>> 
>>> 
>>> On Mon, Aug 22, 2011 at 7:57 PM, alexus <alexus at ...11827...> wrote:
>>>> guys, please help
>>>> 
>>>> su-3.2# md5 snort-2.9.0.5.tar.gz
>>>> MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355
>>>> su-3.2# grep './configure' config.log
>>>>  $ ./configure --enable-ipv6 --enable-gre --enable-mpls
>>>> --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>> --enable-normalizer --enable-reload --enable-react --enable-flexresp3
>>>> su-3.2# snort -V
>>>> 
>>>>   ,,_     -*> Snort! <*-
>>>>  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
>>>>   ''''    By Martin Roesch & The Snort Team:
>>>> http://www.snort.org/snort/snort-team
>>>>           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>>>>           Using libpcap version 1.2.0
>>>>           Using PCRE version: 7.8 2008-09-05
>>>>           Using ZLIB version: 1.2.3
>>>> 
>>>> su-3.2# md5 snortrules-snapshot-2905.tar.gz
>>>> MD5 (snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff
>>>> su-3.2# md5 ../snortrules-snapshot-2905.tar.gz
>>>> MD5 (../snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff
>>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>>> Running in IDS mode
>>>> 
>>>>        --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Initializing Preprocessors!
>>>> Initializing Plug-ins!
>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
>>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>>> PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
>>>> PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>> Detection:
>>>>   Search-Method = AC-Full-Q
>>>>    Split Any/Any group = enabled
>>>>    Search-Method-Optimizations = enabled
>>>>    Maximum pattern length = 20
>>>> ERROR: parser.c(5245) Could not stat dynamic module path
>>>> "/usr/local/lib/snort_dynamicrules": No such file or directory.
>>>> Fatal Error, Quitting..
>>>> su-3.2# ls -dl /usr/local/lib/snort_dynamic*
>>>> drwxr-xr-x  2 root  wheel   512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine
>>>> drwxr-xr-x  2 root  wheel  1536 Aug 22 23:50
>>>> /usr/local/lib/snort_dynamicpreprocessor
>>>> su-3.2#
>>>> 
>>>> where are those "snort_dynamicrules" comes from?
>>>> what am I missing?
>>>> 
>>>> 
>>>> 
>>>> On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus at ...11827...> wrote:
>>>>> I download 2.8.6.1
>>>>> 
>>>>> su-3.2# snort -V
>>>>> 
>>>>>   ,,_     -*> Snort! <*-
>>>>>  o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
>>>>>   ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/snort/snort-team
>>>>>           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>>           Using PCRE version: 7.8 2008-09-05
>>>>>           Using ZLIB version: 1.2.3
>>>>> 
>>>>> su-3.2#
>>>>> 
>>>>> download ruleset for 2.8 and same thing... (it CRUSHES!!!)
>>>>> 
>>>>> su-3.2# snort -c /usr/local/etc/snort.conf
>>>>> Running in IDS mode
>>>>> 
>>>>>        --== Initializing Snort ==--
>>>>> Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> Initializing Plug-ins!
>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
>>>>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>>>>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>>>>> PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
>>>>> PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>>> Detection:
>>>>>   Search-Method = AC-Full-Q
>>>>>    Split Any/Any group = enabled
>>>>>    Search-Method-Optimizations = enabled
>>>>>    Maximum pattern length = 20
>>>>> Tagged Packet Limit: 256
>>>>> Loading dynamic engine
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>>>>> Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>>  Loading dynamic detection library
>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>> done
>>>>>  Finished Loading all dynamic detection libs from
>>>>> /usr/local/lib/snort_dynamicrules
>>>>> Loading all dynamic preprocessor libs from
>>>>> /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>>>>>  Finished Loading all dynamic preprocessor libs from
>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>>> Log directory = /var/log/snort
>>>>> Segmentation fault: 11 (core dumped)
>>>>> su-3.2#
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>>>> On 8/17/2011 11:07, alexus wrote:
>>>>>>> it seems like it's failing on part #5 (preprocessors(rpc_decode))
>>>>>>> 
>>>>>>> 
>>>>>>> su-3.2# snort -sc /usr/local/etc/snort.conf
>>>>>>> Running in IDS mode
>>>>>>> 
>>>>>>>          --== Initializing Snort ==--
>>>>>> [TRIM]
>>>>>>> rpc_decode arguments:
>>>>>>>      Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>>>>>> 32776 32777 32778 32779
>>>>>>>      alert_fragments: INACTIVE
>>>>>>>      alert_large_fragments: INACTIVE
>>>>>>>      alert_incomplete: INACTIVE
>>>>>>>      alert_multiple_requests: INACTIVE
>>>>>>> Segmentation fault: 11 (core dumped)
>>>>>>> su-3.2#
>>>>>> 
>>>>>> in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line is the loading
>>>>>> of the Portscan Detection Config... it is immediately after the
>>>>>> alert_multiple_requests line... then i have the following sections...
>>>>>> 
>>>>>>  FTPTelnet Config
>>>>>>  SMTP Config
>>>>>>  SSH Config
>>>>>>  DCE/RPC 2 Preprocessor Configuration
>>>>>>  DNS Configuration
>>>>>>  SSLPP config
>>>>>>  Initializing rule chains...
>>>>>> 
>>>>>> maybe this helps somewhat?
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>>>>>> user administration capabilities and model configuration. Take
>>>>>> the hassle out of deploying and managing Subversion and the
>>>>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> http://alexus.org/
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> http://alexus.org/
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> http://alexus.org/
>>> 
>>> ------------------------------------------------------------------------------
>>> Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
>>> user administration capabilities and model configuration. Take
>>> the hassle out of deploying and managing Subversion and the
>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
> 
> 
> 
> -- 
> http://alexus.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4795 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110822/39a7f119/attachment.bin>


More information about the Snort-users mailing list