[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

Joel Esler jesler at ...1935...
Tue Aug 23 00:08:39 EDT 2011


If you are experiencing an error with the SO rules, please let me know. 

-- 
Sent from my iPad
Please excuse the brevity

On Aug 22, 2011, at 11:05 PM, "Gibson, Nathan J. (HSC)" <Nathan-Gibson at ...391...5095...> wrote:

> What O/S are you running. I found the RHEL rules don't work for me on RHEL so I use the Cent rules.
> 
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Monday, August 22, 2011 8:51 PM
> To: alexus
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.
> 
> Alexus,
> 
> I understand the difficulty you must be going through, and I'll give you one more branch of assistance, however, I suggest you check out the Snort Manual:  http://manual.snort.org.  We can't step you through every single line that is causing an error.
> 
> This error means you are running the wrong version of Dynamic preprocessors with a differing version of Snort.
> 
> Snort 2.9.1 will come out this week, I suggest you remove the installation of Snort you have now, and the items in those directories, and go with a fresh install of Snort 2.9.1
> 
> Joel
> 
> On Aug 22, 2011, at 9:47 PM, alexus wrote:
> 
>> directory is already there... i created it
>> 
>> here is my new output
>> 
>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>> 
>>       --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/usr/local/etc/snort.conf"
>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar 'SHELLCODE_PORTS'
>> defined :  [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined :  [
>> 1024:65535 ] PortVar 'SSH_PORTS' defined :  [ 22 65535 ] PortVar
>> 'FTP_PORTS' defined :  [ 20:21 ]
>> Detection:
>>  Search-Method = AC-Full-Q
>>   Split Any/Any group = enabled
>>   Search-Method-Optimizations = enabled
>>   Maximum pattern length = 20
>> Tagged Packet Limit: 256
>> Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all
>> dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>> Warning: No dynamic libraries found in directory
>> /usr/local/lib/snort_dynamicrules!
>> Finished Loading all dynamic detection libs from
>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>> done
>> Finished Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/
>> Log directory = /var/log/snort
>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>> normalizations disabled because not inlineWARNING: icmp4
>> normalizations disabled because not inlineWARNING: ip6 normalizations
>> disabled because not inlineWARNING: icmp6 normalizations disabled
>> because not inlineFrag3 global config:
>>   Max frags: 65536
>>   Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>   Target-based policy: WINDOWS
>>   Fragment timeout: 180 seconds
>>   Fragment min_ttl:   1
>>   Fragment Problems: 1
>>   Overlap Limit:     10
>>   Min fragment Length:     100
>> Stream5 global config:
>>   Track TCP sessions: ACTIVE
>>   Max TCP sessions: 262144
>>   Memcap (for reassembly packet storage): 8388608
>>   Track UDP sessions: ACTIVE
>>   Max UDP sessions: 131072
>>   Track ICMP sessions: INACTIVE
>>   Log info if session memory consumption exceeds 1048576
>>   Send up to 2 active responses
>>   Wait at least 5 seconds between responses
>> Stream5 TCP Policy config:
>>   Reassembly Policy: WINDOWS
>>   Timeout: 180 seconds
>>   Limit on TCP Overlaps: 10
>>   Maximum number of bytes to queue per session: 1048576
>>   Maximum number of segs to queue per session: 2621
>>   Options:
>>       Require 3-Way Handshake: YES
>>       3-Way Handshake Timeout: 180
>>       Detect Anomalies: YES
>>   Reassembly Ports:
>>     21 client (Footprint)
>>     22 client (Footprint)
>>     23 client (Footprint)
>>     25 client (Footprint)
>>     42 client (Footprint)
>>     53 client (Footprint)
>>     79 client (Footprint)
>>     80 client (Footprint) server (Footprint)
>>     81 client (Footprint) server (Footprint)
>>     109 client (Footprint)
>>     110 client (Footprint)
>>     111 client (Footprint)
>>     113 client (Footprint)
>>     119 client (Footprint)
>>     135 client (Footprint)
>>     136 client (Footprint)
>>     137 client (Footprint)
>>     139 client (Footprint)
>>     143 client (Footprint)
>>     161 client (Footprint)
>> Stream5 UDP Policy config:
>>   Timeout: 180 seconds
>> HttpInspect Config:
>>   GLOBAL CONFIG
>>     Max Pipeline Requests:    0
>>     Inspection Type:          STATELESS
>>     Detect Proxy Usage:       NO
>>     IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>     IIS Unicode Map Codepage: 1252
>>     Max Gzip Memory: 838860
>>     Max Gzip Sessions: 6
>>     Gzip Compress Depth: 65535
>>     Gzip Decompress Depth: 65535
>>   DEFAULT SERVER CONFIG:
>>     Server profile: All
>>     Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>> 8243 8280 8888 9090 9091 9443 9999 11371
>>     Server Flow Depth: 0
>>     Client Flow Depth: 0
>>     Max Chunk Length: 500000
>>     Max Header Field Length: 750
>>     Max Number Header Fields: 100
>>     Inspect Pipeline Requests: YES
>>     URI Discovery Strict Mode: NO
>>     Allow Proxy Usage: NO
>>     Disable Alerting: NO
>>     Oversize Dir Length: 500
>>     Only inspect URI: NO
>>     Normalize HTTP Headers: NO
>>     Inspect HTTP Cookies: YES
>>     Inspect HTTP Responses: YES
>>     Extract Gzip from responses: YES
>>     Unlimited decompression of gzip data from responses: YES
>>     Normalize HTTP Cookies: NO
>>     Enable XFF and True Client IP: NO
>>     Extended ASCII code support in URI: NO
>>     Ascii: YES alert: NO
>>     Double Decoding: YES alert: NO
>>     %U Encoding: YES alert: YES
>>     Bare Byte: YES alert: NO
>>     Base36: OFF
>>     UTF 8: YES alert: NO
>>     IIS Unicode: YES alert: NO
>>     Multiple Slash: YES alert: NO
>>     IIS Backslash: YES alert: NO
>>     Directory Traversal: YES alert: NO
>>     Web Root Traversal: YES alert: NO
>>     Apache WhiteSpace: YES alert: NO
>>     IIS Delimiter: YES alert: NO
>>     IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>     Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>     Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments:
>>   Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>> 32776 32777 32778 32779
>>   alert_fragments: INACTIVE
>>   alert_large_fragments: INACTIVE
>>   alert_incomplete: INACTIVE
>>   alert_multiple_requests: INACTIVE
>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
>> version 1.1.5 (-1) Fatal Error, Quitting..
>> su-3.2#
>> 
>> can someone explain me what this means? how do I get rid of it/fix it?
>> 
>> 
>> On Mon, Aug 22, 2011 at 8:56 PM, Joel Esler <jesler at ...1935...> wrote:
>>> I recommend the use of pulledpork to be able to manage your Snort rules and place the Shared Object rules that exist in the correct directory.
>>> 
>>> First, start by creating that directory.
>>> 
>>> Joel
>>> 
>>> On Aug 22, 2011, at 8:17 PM, alexus wrote:
>>> 
>>>> i created that directory so now new output
>>>> 
>>>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>>> 
>>>>       --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Initializing Preprocessors!
>>>> Initializing Plug-ins!
>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS' defined
>>>> :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>> Detection:
>>>>  Search-Method = AC-Full-Q
>>>>   Split Any/Any group = enabled
>>>>   Search-Method-Optimizations = enabled
>>>>   Maximum pattern length = 20
>>>> Tagged Packet Limit: 256
>>>> Loading dynamic engine
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading
>>>> all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>> Warning: No dynamic libraries found in directory
>>>> /usr/local/lib/snort_dynamicrules!
>>>> Finished Loading all dynamic detection libs from
>>>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>>>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>>> Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>> done
>>>> Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>> done
>>>> Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>> done
>>>> Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>> done
>>>> Finished Loading all dynamic preprocessor libs from
>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>> Log directory = /var/log/snort
>>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>>> normalizations disabled because not inlineWARNING: icmp4
>>>> normalizations disabled because not inlineWARNING: ip6
>>>> normalizations disabled because not inlineWARNING: icmp6
>>>> normalizations disabled because not inlineFrag3 global config:
>>>>   Max frags: 65536
>>>>   Fragment memory cap: 4194304 bytes
>>>> Frag3 engine config:
>>>>   Target-based policy: WINDOWS
>>>>   Fragment timeout: 180 seconds
>>>>   Fragment min_ttl:   1
>>>>   Fragment Problems: 1
>>>>   Overlap Limit:     10
>>>>   Min fragment Length:     100
>>>> Stream5 global config:
>>>>   Track TCP sessions: ACTIVE
>>>>   Max TCP sessions: 262144
>>>>   Memcap (for reassembly packet storage): 8388608
>>>>   Track UDP sessions: ACTIVE
>>>>   Max UDP sessions: 131072
>>>>   Track ICMP sessions: INACTIVE
>>>>   Log info if session memory consumption exceeds 1048576
>>>>   Send up to 2 active responses
>>>>   Wait at least 5 seconds between responses
>>>> Stream5 TCP Policy config:
>>>>   Reassembly Policy: WINDOWS
>>>>   Timeout: 180 seconds
>>>>   Limit on TCP Overlaps: 10
>>>>   Maximum number of bytes to queue per session: 1048576
>>>>   Maximum number of segs to queue per session: 2621
>>>>   Options:
>>>>       Require 3-Way Handshake: YES
>>>>       3-Way Handshake Timeout: 180
>>>>       Detect Anomalies: YES
>>>>   Reassembly Ports:
>>>>     21 client (Footprint)
>>>>     22 client (Footprint)
>>>>     23 client (Footprint)
>>>>     25 client (Footprint)
>>>>     42 client (Footprint)
>>>>     53 client (Footprint)
>>>>     79 client (Footprint)
>>>>     80 client (Footprint) server (Footprint)
>>>>     81 client (Footprint) server (Footprint)
>>>>     109 client (Footprint)
>>>>     110 client (Footprint)
>>>>     111 client (Footprint)
>>>>     113 client (Footprint)
>>>>     119 client (Footprint)
>>>>     135 client (Footprint)
>>>>     136 client (Footprint)
>>>>     137 client (Footprint)
>>>>     139 client (Footprint)
>>>>     143 client (Footprint)
>>>>     161 client (Footprint)
>>>> Stream5 UDP Policy config:
>>>>   Timeout: 180 seconds
>>>> HttpInspect Config:
>>>>   GLOBAL CONFIG
>>>>     Max Pipeline Requests:    0
>>>>     Inspection Type:          STATELESS
>>>>     Detect Proxy Usage:       NO
>>>>     IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>>     IIS Unicode Map Codepage: 1252
>>>>     Max Gzip Memory: 838860
>>>>     Max Gzip Sessions: 6
>>>>     Gzip Compress Depth: 65535
>>>>     Gzip Decompress Depth: 65535
>>>>   DEFAULT SERVER CONFIG:
>>>>     Server profile: All
>>>>     Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180
>>>> 8181
>>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>>     Server Flow Depth: 0
>>>>     Client Flow Depth: 0
>>>>     Max Chunk Length: 500000
>>>>     Max Header Field Length: 750
>>>>     Max Number Header Fields: 100
>>>>     Inspect Pipeline Requests: YES
>>>>     URI Discovery Strict Mode: NO
>>>>     Allow Proxy Usage: NO
>>>>     Disable Alerting: NO
>>>>     Oversize Dir Length: 500
>>>>     Only inspect URI: NO
>>>>     Normalize HTTP Headers: NO
>>>>     Inspect HTTP Cookies: YES
>>>>     Inspect HTTP Responses: YES
>>>>     Extract Gzip from responses: YES
>>>>     Unlimited decompression of gzip data from responses: YES
>>>>     Normalize HTTP Cookies: NO
>>>>     Enable XFF and True Client IP: NO
>>>>     Extended ASCII code support in URI: NO
>>>>     Ascii: YES alert: NO
>>>>     Double Decoding: YES alert: NO
>>>>     %U Encoding: YES alert: YES
>>>>     Bare Byte: YES alert: NO
>>>>     Base36: OFF
>>>>     UTF 8: YES alert: NO
>>>>     IIS Unicode: YES alert: NO
>>>>     Multiple Slash: YES alert: NO
>>>>     IIS Backslash: YES alert: NO
>>>>     Directory Traversal: YES alert: NO
>>>>     Web Root Traversal: YES alert: NO
>>>>     Apache WhiteSpace: YES alert: NO
>>>>     IIS Delimiter: YES alert: NO
>>>>     IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>>     Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>>     Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode
>>>> arguments:
>>>>   Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>>> 32776 32777 32778 32779
>>>>   alert_fragments: INACTIVE
>>>>   alert_large_fragments: INACTIVE
>>>>   alert_incomplete: INACTIVE
>>>>   alert_multiple_requests: INACTIVE
>>>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
>>>> version 1.1.5 (-1) Fatal Error, Quitting..
>>>> su-3.2#
>>>> 
>>>> 
>>>> On Mon, Aug 22, 2011 at 7:57 PM, alexus <alexus at ...11827...> wrote:
>>>>> guys, please help
>>>>> 
>>>>> su-3.2# md5 snort-2.9.0.5.tar.gz
>>>>> MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355
>>>>> su-3.2# grep './configure' config.log  $ ./configure --enable-ipv6
>>>>> --enable-gre --enable-mpls --enable-targetbased
>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>> --enable-normalizer --enable-reload --enable-react
>>>>> --enable-flexresp3 su-3.2# snort -V
>>>>> 
>>>>>  ,,_     -*> Snort! <*-
>>>>> o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
>>>>>  ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/snort/snort-team
>>>>>          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>>>>>          Using libpcap version 1.2.0
>>>>>          Using PCRE version: 7.8 2008-09-05
>>>>>          Using ZLIB version: 1.2.3
>>>>> 
>>>>> su-3.2# md5 snortrules-snapshot-2905.tar.gz
>>>>> MD5 (snortrules-snapshot-2905.tar.gz) =
>>>>> 58791cfc8efb4ac278f4c2effea935ff su-3.2# md5
>>>>> ../snortrules-snapshot-2905.tar.gz
>>>>> MD5 (../snortrules-snapshot-2905.tar.gz) =
>>>>> 58791cfc8efb4ac278f4c2effea935ff su-3.2# snort -c
>>>>> /usr/local/etc/snort.conf Running in IDS mode
>>>>> 
>>>>>       --== Initializing Snort ==-- Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> Initializing Plug-ins!
>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS'
>>>>> defined :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>>> Detection:
>>>>>  Search-Method = AC-Full-Q
>>>>>   Split Any/Any group = enabled
>>>>>   Search-Method-Optimizations = enabled
>>>>>   Maximum pattern length = 20
>>>>> ERROR: parser.c(5245) Could not stat dynamic module path
>>>>> "/usr/local/lib/snort_dynamicrules": No such file or directory.
>>>>> Fatal Error, Quitting..
>>>>> su-3.2# ls -dl /usr/local/lib/snort_dynamic*
>>>>> drwxr-xr-x  2 root  wheel   512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine
>>>>> drwxr-xr-x  2 root  wheel  1536 Aug 22 23:50
>>>>> /usr/local/lib/snort_dynamicpreprocessor
>>>>> su-3.2#
>>>>> 
>>>>> where are those "snort_dynamicrules" comes from?
>>>>> what am I missing?
>>>>> 
>>>>> 
>>>>> 
>>>>> On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus at ...11827...> wrote:
>>>>>> I download 2.8.6.1
>>>>>> 
>>>>>> su-3.2# snort -V
>>>>>> 
>>>>>>  ,,_     -*> Snort! <*-
>>>>>> o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
>>>>>>  ''''    By Martin Roesch & The Snort Team:
>>>>>> http://www.snort.org/snort/snort-team
>>>>>>          Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>>>          Using PCRE version: 7.8 2008-09-05
>>>>>>          Using ZLIB version: 1.2.3
>>>>>> 
>>>>>> su-3.2#
>>>>>> 
>>>>>> download ruleset for 2.8 and same thing... (it CRUSHES!!!)
>>>>>> 
>>>>>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>>>>> 
>>>>>>       --== Initializing Snort ==-- Initializing Output Plugins!
>>>>>> Initializing Preprocessors!
>>>>>> Initializing Plug-ins!
>>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS'
>>>>>> defined :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>>>> Detection:
>>>>>>  Search-Method = AC-Full-Q
>>>>>>   Split Any/Any group = enabled
>>>>>>   Search-Method-Optimizations = enabled
>>>>>>   Maximum pattern length = 20
>>>>>> Tagged Packet Limit: 256
>>>>>> Loading dynamic engine
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading
>>>>>> all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>>> Loading dynamic detection library
>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>> done
>>>>>> Finished Loading all dynamic detection libs from
>>>>>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>>>>>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>> Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>> done
>>>>>> Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>> done
>>>>>> Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>> done  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>> done
>>>>>> Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>> done  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>> done  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>> done
>>>>>> Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>> done
>>>>>> Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>> done  Finished Loading all dynamic preprocessor libs from
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>>>> Log directory = /var/log/snort
>>>>>> Segmentation fault: 11 (core dumped) su-3.2#
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>>>>> On 8/17/2011 11:07, alexus wrote:
>>>>>>>> it seems like it's failing on part #5
>>>>>>>> (preprocessors(rpc_decode))
>>>>>>>> 
>>>>>>>> 
>>>>>>>> su-3.2# snort -sc /usr/local/etc/snort.conf Running in IDS mode
>>>>>>>> 
>>>>>>>>         --== Initializing Snort ==--
>>>>>>> [TRIM]
>>>>>>>> rpc_decode arguments:
>>>>>>>>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774
>>>>>>>> 32775
>>>>>>>> 32776 32777 32778 32779
>>>>>>>>     alert_fragments: INACTIVE
>>>>>>>>     alert_large_fragments: INACTIVE
>>>>>>>>     alert_incomplete: INACTIVE
>>>>>>>>     alert_multiple_requests: INACTIVE Segmentation fault: 11
>>>>>>>> (core dumped) su-3.2#
>>>>>>> 
>>>>>>> in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line
>>>>>>> is the loading of the Portscan Detection Config... it is
>>>>>>> immediately after the alert_multiple_requests line... then i have the following sections...
>>>>>>> 
>>>>>>> FTPTelnet Config
>>>>>>> SMTP Config
>>>>>>> SSH Config
>>>>>>> DCE/RPC 2 Preprocessor Configuration  DNS Configuration  SSLPP
>>>>>>> config  Initializing rule chains...
>>>>>>> 
>>>>>>> maybe this helps somewhat?
>>>>>>> 
>>>>>>> -----------------------------------------------------------------
>>>>>>> ------------- Get a FREE DOWNLOAD! and learn more about uberSVN
>>>>>>> rich system, user administration capabilities and model
>>>>>>> configuration. Take the hassle out of deploying and managing
>>>>>>> Subversion and the tools developers use with it.
>>>>>>> http://p.sf.net/sfu/wandisco-d2d-2
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net Go to this URL to change user
>>>>>>> options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>> 
>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> http://alexus.org/
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> http://alexus.org/
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> http://alexus.org/
>>>> 
>>>> --------------------------------------------------------------------
>>>> ---------- Get a FREE DOWNLOAD! and learn more about uberSVN rich
>>>> system, user administration capabilities and model configuration.
>>>> Take the hassle out of deploying and managing Subversion and the
>>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> 
>>> 
>> 
>> 
>> 
>> --
>> http://alexus.org/
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6362 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110823/7fbd4bb2/attachment.bin>


More information about the Snort-users mailing list