[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Gibson, Nathan J. (HSC) Nathan-Gibson at ...15095...
Mon Aug 22 23:05:50 EDT 2011


What O/S are you running. I found the RHEL rules don't work for me on RHEL so I use the Cent rules.

-----Original Message-----
From: Joel Esler [mailto:jesler at ...1935...]
Sent: Monday, August 22, 2011 8:51 PM
To: alexus
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Alexus,

I understand the difficulty you must be going through, and I'll give you one more branch of assistance, however, I suggest you check out the Snort Manual:  http://manual.snort.org.  We can't step you through every single line that is causing an error.

This error means you are running the wrong version of Dynamic preprocessors with a differing version of Snort.

Snort 2.9.1 will come out this week, I suggest you remove the installation of Snort you have now, and the items in those directories, and go with a fresh install of Snort 2.9.1

Joel

On Aug 22, 2011, at 9:47 PM, alexus wrote:

> directory is already there... i created it
>
> here is my new output
>
> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/usr/local/etc/snort.conf"
> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar 'SHELLCODE_PORTS'
> defined :  [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined :  [
> 1024:65535 ] PortVar 'SSH_PORTS' defined :  [ 22 65535 ] PortVar
> 'FTP_PORTS' defined :  [ 20:21 ]
> Detection:
>   Search-Method = AC-Full-Q
>    Split Any/Any group = enabled
>    Search-Method-Optimizations = enabled
>    Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all
> dynamic detection libs from /usr/local/lib/snort_dynamicrules...
> Warning: No dynamic libraries found in directory
> /usr/local/lib/snort_dynamicrules!
>  Finished Loading all dynamic detection libs from
> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> done
>  Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
> Loading dynamic preprocessor library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> done
>  Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
> normalizations disabled because not inlineWARNING: icmp4
> normalizations disabled because not inlineWARNING: ip6 normalizations
> disabled because not inlineWARNING: icmp6 normalizations disabled
> because not inlineFrag3 global config:
>    Max frags: 65536
>    Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>    Target-based policy: WINDOWS
>    Fragment timeout: 180 seconds
>    Fragment min_ttl:   1
>    Fragment Problems: 1
>    Overlap Limit:     10
>    Min fragment Length:     100
> Stream5 global config:
>    Track TCP sessions: ACTIVE
>    Max TCP sessions: 262144
>    Memcap (for reassembly packet storage): 8388608
>    Track UDP sessions: ACTIVE
>    Max UDP sessions: 131072
>    Track ICMP sessions: INACTIVE
>    Log info if session memory consumption exceeds 1048576
>    Send up to 2 active responses
>    Wait at least 5 seconds between responses
> Stream5 TCP Policy config:
>    Reassembly Policy: WINDOWS
>    Timeout: 180 seconds
>    Limit on TCP Overlaps: 10
>    Maximum number of bytes to queue per session: 1048576
>    Maximum number of segs to queue per session: 2621
>    Options:
>        Require 3-Way Handshake: YES
>        3-Way Handshake Timeout: 180
>        Detect Anomalies: YES
>    Reassembly Ports:
>      21 client (Footprint)
>      22 client (Footprint)
>      23 client (Footprint)
>      25 client (Footprint)
>      42 client (Footprint)
>      53 client (Footprint)
>      79 client (Footprint)
>      80 client (Footprint) server (Footprint)
>      81 client (Footprint) server (Footprint)
>      109 client (Footprint)
>      110 client (Footprint)
>      111 client (Footprint)
>      113 client (Footprint)
>      119 client (Footprint)
>      135 client (Footprint)
>      136 client (Footprint)
>      137 client (Footprint)
>      139 client (Footprint)
>      143 client (Footprint)
>      161 client (Footprint)
> Stream5 UDP Policy config:
>    Timeout: 180 seconds
> HttpInspect Config:
>    GLOBAL CONFIG
>      Max Pipeline Requests:    0
>      Inspection Type:          STATELESS
>      Detect Proxy Usage:       NO
>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>      IIS Unicode Map Codepage: 1252
>      Max Gzip Memory: 838860
>      Max Gzip Sessions: 6
>      Gzip Compress Depth: 65535
>      Gzip Decompress Depth: 65535
>    DEFAULT SERVER CONFIG:
>      Server profile: All
>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
> 8243 8280 8888 9090 9091 9443 9999 11371
>      Server Flow Depth: 0
>      Client Flow Depth: 0
>      Max Chunk Length: 500000
>      Max Header Field Length: 750
>      Max Number Header Fields: 100
>      Inspect Pipeline Requests: YES
>      URI Discovery Strict Mode: NO
>      Allow Proxy Usage: NO
>      Disable Alerting: NO
>      Oversize Dir Length: 500
>      Only inspect URI: NO
>      Normalize HTTP Headers: NO
>      Inspect HTTP Cookies: YES
>      Inspect HTTP Responses: YES
>      Extract Gzip from responses: YES
>      Unlimited decompression of gzip data from responses: YES
>      Normalize HTTP Cookies: NO
>      Enable XFF and True Client IP: NO
>      Extended ASCII code support in URI: NO
>      Ascii: YES alert: NO
>      Double Decoding: YES alert: NO
>      %U Encoding: YES alert: YES
>      Bare Byte: YES alert: NO
>      Base36: OFF
>      UTF 8: YES alert: NO
>      IIS Unicode: YES alert: NO
>      Multiple Slash: YES alert: NO
>      IIS Backslash: YES alert: NO
>      Directory Traversal: YES alert: NO
>      Web Root Traversal: YES alert: NO
>      Apache WhiteSpace: YES alert: NO
>      IIS Delimiter: YES alert: NO
>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments:
>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
> 32776 32777 32778 32779
>    alert_fragments: INACTIVE
>    alert_large_fragments: INACTIVE
>    alert_incomplete: INACTIVE
>    alert_multiple_requests: INACTIVE
> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
> version 1.1.5 (-1) Fatal Error, Quitting..
> su-3.2#
>
> can someone explain me what this means? how do I get rid of it/fix it?
>
>
> On Mon, Aug 22, 2011 at 8:56 PM, Joel Esler <jesler at ...1935...> wrote:
>> I recommend the use of pulledpork to be able to manage your Snort rules and place the Shared Object rules that exist in the correct directory.
>>
>> First, start by creating that directory.
>>
>> Joel
>>
>> On Aug 22, 2011, at 8:17 PM, alexus wrote:
>>
>>> i created that directory so now new output
>>>
>>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>>
>>>        --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Initializing Preprocessors!
>>> Initializing Plug-ins!
>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS' defined
>>> :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>> Detection:
>>>   Search-Method = AC-Full-Q
>>>    Split Any/Any group = enabled
>>>    Search-Method-Optimizations = enabled
>>>    Maximum pattern length = 20
>>> Tagged Packet Limit: 256
>>> Loading dynamic engine
>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading
>>> all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>> Warning: No dynamic libraries found in directory
>>> /usr/local/lib/snort_dynamicrules!
>>>  Finished Loading all dynamic detection libs from
>>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>> done  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>> done  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>> done  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>> done
>>>  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>> done  Loading dynamic preprocessor library
>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>> done
>>>  Finished Loading all dynamic preprocessor libs from
>>> /usr/local/lib/snort_dynamicpreprocessor/
>>> Log directory = /var/log/snort
>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>> normalizations disabled because not inlineWARNING: icmp4
>>> normalizations disabled because not inlineWARNING: ip6
>>> normalizations disabled because not inlineWARNING: icmp6
>>> normalizations disabled because not inlineFrag3 global config:
>>>    Max frags: 65536
>>>    Fragment memory cap: 4194304 bytes
>>> Frag3 engine config:
>>>    Target-based policy: WINDOWS
>>>    Fragment timeout: 180 seconds
>>>    Fragment min_ttl:   1
>>>    Fragment Problems: 1
>>>    Overlap Limit:     10
>>>    Min fragment Length:     100
>>> Stream5 global config:
>>>    Track TCP sessions: ACTIVE
>>>    Max TCP sessions: 262144
>>>    Memcap (for reassembly packet storage): 8388608
>>>    Track UDP sessions: ACTIVE
>>>    Max UDP sessions: 131072
>>>    Track ICMP sessions: INACTIVE
>>>    Log info if session memory consumption exceeds 1048576
>>>    Send up to 2 active responses
>>>    Wait at least 5 seconds between responses
>>> Stream5 TCP Policy config:
>>>    Reassembly Policy: WINDOWS
>>>    Timeout: 180 seconds
>>>    Limit on TCP Overlaps: 10
>>>    Maximum number of bytes to queue per session: 1048576
>>>    Maximum number of segs to queue per session: 2621
>>>    Options:
>>>        Require 3-Way Handshake: YES
>>>        3-Way Handshake Timeout: 180
>>>        Detect Anomalies: YES
>>>    Reassembly Ports:
>>>      21 client (Footprint)
>>>      22 client (Footprint)
>>>      23 client (Footprint)
>>>      25 client (Footprint)
>>>      42 client (Footprint)
>>>      53 client (Footprint)
>>>      79 client (Footprint)
>>>      80 client (Footprint) server (Footprint)
>>>      81 client (Footprint) server (Footprint)
>>>      109 client (Footprint)
>>>      110 client (Footprint)
>>>      111 client (Footprint)
>>>      113 client (Footprint)
>>>      119 client (Footprint)
>>>      135 client (Footprint)
>>>      136 client (Footprint)
>>>      137 client (Footprint)
>>>      139 client (Footprint)
>>>      143 client (Footprint)
>>>      161 client (Footprint)
>>> Stream5 UDP Policy config:
>>>    Timeout: 180 seconds
>>> HttpInspect Config:
>>>    GLOBAL CONFIG
>>>      Max Pipeline Requests:    0
>>>      Inspection Type:          STATELESS
>>>      Detect Proxy Usage:       NO
>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>      IIS Unicode Map Codepage: 1252
>>>      Max Gzip Memory: 838860
>>>      Max Gzip Sessions: 6
>>>      Gzip Compress Depth: 65535
>>>      Gzip Decompress Depth: 65535
>>>    DEFAULT SERVER CONFIG:
>>>      Server profile: All
>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180
>>> 8181
>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>      Server Flow Depth: 0
>>>      Client Flow Depth: 0
>>>      Max Chunk Length: 500000
>>>      Max Header Field Length: 750
>>>      Max Number Header Fields: 100
>>>      Inspect Pipeline Requests: YES
>>>      URI Discovery Strict Mode: NO
>>>      Allow Proxy Usage: NO
>>>      Disable Alerting: NO
>>>      Oversize Dir Length: 500
>>>      Only inspect URI: NO
>>>      Normalize HTTP Headers: NO
>>>      Inspect HTTP Cookies: YES
>>>      Inspect HTTP Responses: YES
>>>      Extract Gzip from responses: YES
>>>      Unlimited decompression of gzip data from responses: YES
>>>      Normalize HTTP Cookies: NO
>>>      Enable XFF and True Client IP: NO
>>>      Extended ASCII code support in URI: NO
>>>      Ascii: YES alert: NO
>>>      Double Decoding: YES alert: NO
>>>      %U Encoding: YES alert: YES
>>>      Bare Byte: YES alert: NO
>>>      Base36: OFF
>>>      UTF 8: YES alert: NO
>>>      IIS Unicode: YES alert: NO
>>>      Multiple Slash: YES alert: NO
>>>      IIS Backslash: YES alert: NO
>>>      Directory Traversal: YES alert: NO
>>>      Web Root Traversal: YES alert: NO
>>>      Apache WhiteSpace: YES alert: NO
>>>      IIS Delimiter: YES alert: NO
>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode
>>> arguments:
>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>> 32776 32777 32778 32779
>>>    alert_fragments: INACTIVE
>>>    alert_large_fragments: INACTIVE
>>>    alert_incomplete: INACTIVE
>>>    alert_multiple_requests: INACTIVE
>>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
>>> version 1.1.5 (-1) Fatal Error, Quitting..
>>> su-3.2#
>>>
>>>
>>> On Mon, Aug 22, 2011 at 7:57 PM, alexus <alexus at ...11827...> wrote:
>>>> guys, please help
>>>>
>>>> su-3.2# md5 snort-2.9.0.5.tar.gz
>>>> MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355
>>>> su-3.2# grep './configure' config.log  $ ./configure --enable-ipv6
>>>> --enable-gre --enable-mpls --enable-targetbased
>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>> --enable-normalizer --enable-reload --enable-react
>>>> --enable-flexresp3 su-3.2# snort -V
>>>>
>>>>   ,,_     -*> Snort! <*-
>>>>  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
>>>>   ''''    By Martin Roesch & The Snort Team:
>>>> http://www.snort.org/snort/snort-team
>>>>           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>>>>           Using libpcap version 1.2.0
>>>>           Using PCRE version: 7.8 2008-09-05
>>>>           Using ZLIB version: 1.2.3
>>>>
>>>> su-3.2# md5 snortrules-snapshot-2905.tar.gz
>>>> MD5 (snortrules-snapshot-2905.tar.gz) =
>>>> 58791cfc8efb4ac278f4c2effea935ff su-3.2# md5
>>>> ../snortrules-snapshot-2905.tar.gz
>>>> MD5 (../snortrules-snapshot-2905.tar.gz) =
>>>> 58791cfc8efb4ac278f4c2effea935ff su-3.2# snort -c
>>>> /usr/local/etc/snort.conf Running in IDS mode
>>>>
>>>>        --== Initializing Snort ==-- Initializing Output Plugins!
>>>> Initializing Preprocessors!
>>>> Initializing Plug-ins!
>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS'
>>>> defined :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>> Detection:
>>>>   Search-Method = AC-Full-Q
>>>>    Split Any/Any group = enabled
>>>>    Search-Method-Optimizations = enabled
>>>>    Maximum pattern length = 20
>>>> ERROR: parser.c(5245) Could not stat dynamic module path
>>>> "/usr/local/lib/snort_dynamicrules": No such file or directory.
>>>> Fatal Error, Quitting..
>>>> su-3.2# ls -dl /usr/local/lib/snort_dynamic*
>>>> drwxr-xr-x  2 root  wheel   512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine
>>>> drwxr-xr-x  2 root  wheel  1536 Aug 22 23:50
>>>> /usr/local/lib/snort_dynamicpreprocessor
>>>> su-3.2#
>>>>
>>>> where are those "snort_dynamicrules" comes from?
>>>> what am I missing?
>>>>
>>>>
>>>>
>>>> On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus at ...11827...> wrote:
>>>>> I download 2.8.6.1
>>>>>
>>>>> su-3.2# snort -V
>>>>>
>>>>>   ,,_     -*> Snort! <*-
>>>>>  o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
>>>>>   ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/snort/snort-team
>>>>>           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>>           Using PCRE version: 7.8 2008-09-05
>>>>>           Using ZLIB version: 1.2.3
>>>>>
>>>>> su-3.2#
>>>>>
>>>>> download ruleset for 2.8 and same thing... (it CRUSHES!!!)
>>>>>
>>>>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>>>>
>>>>>        --== Initializing Snort ==-- Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> Initializing Plug-ins!
>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS'
>>>>> defined :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>>> Detection:
>>>>>   Search-Method = AC-Full-Q
>>>>>    Split Any/Any group = enabled
>>>>>    Search-Method-Optimizations = enabled
>>>>>    Maximum pattern length = 20
>>>>> Tagged Packet Limit: 256
>>>>> Loading dynamic engine
>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading
>>>>> all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>>  Loading dynamic detection library
>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>> done
>>>>>  Finished Loading all dynamic detection libs from
>>>>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>>>>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>> done  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>> done  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>> done  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>> done
>>>>>  Loading dynamic preprocessor library
>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>> done  Finished Loading all dynamic preprocessor libs from
>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>>> Log directory = /var/log/snort
>>>>> Segmentation fault: 11 (core dumped) su-3.2#
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>>>> On 8/17/2011 11:07, alexus wrote:
>>>>>>> it seems like it's failing on part #5
>>>>>>> (preprocessors(rpc_decode))
>>>>>>>
>>>>>>>
>>>>>>> su-3.2# snort -sc /usr/local/etc/snort.conf Running in IDS mode
>>>>>>>
>>>>>>>          --== Initializing Snort ==--
>>>>>> [TRIM]
>>>>>>> rpc_decode arguments:
>>>>>>>      Ports to decode RPC on: 111 32770 32771 32772 32773 32774
>>>>>>> 32775
>>>>>>> 32776 32777 32778 32779
>>>>>>>      alert_fragments: INACTIVE
>>>>>>>      alert_large_fragments: INACTIVE
>>>>>>>      alert_incomplete: INACTIVE
>>>>>>>      alert_multiple_requests: INACTIVE Segmentation fault: 11
>>>>>>> (core dumped) su-3.2#
>>>>>>
>>>>>> in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line
>>>>>> is the loading of the Portscan Detection Config... it is
>>>>>> immediately after the alert_multiple_requests line... then i have the following sections...
>>>>>>
>>>>>>  FTPTelnet Config
>>>>>>  SMTP Config
>>>>>>  SSH Config
>>>>>>  DCE/RPC 2 Preprocessor Configuration  DNS Configuration  SSLPP
>>>>>> config  Initializing rule chains...
>>>>>>
>>>>>> maybe this helps somewhat?
>>>>>>
>>>>>> -----------------------------------------------------------------
>>>>>> ------------- Get a FREE DOWNLOAD! and learn more about uberSVN
>>>>>> rich system, user administration capabilities and model
>>>>>> configuration. Take the hassle out of deploying and managing
>>>>>> Subversion and the tools developers use with it.
>>>>>> http://p.sf.net/sfu/wandisco-d2d-2
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net Go to this URL to change user
>>>>>> options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://alexus.org/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://alexus.org/
>>>>
>>>
>>>
>>>
>>> --
>>> http://alexus.org/
>>>
>>> --------------------------------------------------------------------
>>> ---------- Get a FREE DOWNLOAD! and learn more about uberSVN rich
>>> system, user administration capabilities and model configuration.
>>> Take the hassle out of deploying and managing Subversion and the
>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>>
>
>
>
> --
> http://alexus.org/





More information about the Snort-users mailing list