[Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

alexus alexus at ...11827...
Tue Aug 23 01:04:20 EDT 2011


(05:03:44 <~>) 0 $ uname -a
FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
17:48:16 UTC 2011
alexus at ...15356...:/usr/obj/usr/src/sys/GENERIC  amd64
(05:03:45 <~>) 0 $

so far all rules are working, i didn't not end up commenting anything out...

On Mon, Aug 22, 2011 at 11:05 PM, Gibson, Nathan J. (HSC)
<Nathan-Gibson at ...15095...> wrote:
> What O/S are you running. I found the RHEL rules don't work for me on RHEL so I use the Cent rules.
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Monday, August 22, 2011 8:51 PM
> To: alexus
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.
>
> Alexus,
>
> I understand the difficulty you must be going through, and I'll give you one more branch of assistance, however, I suggest you check out the Snort Manual:  http://manual.snort.org.  We can't step you through every single line that is causing an error.
>
> This error means you are running the wrong version of Dynamic preprocessors with a differing version of Snort.
>
> Snort 2.9.1 will come out this week, I suggest you remove the installation of Snort you have now, and the items in those directories, and go with a fresh install of Snort 2.9.1
>
> Joel
>
> On Aug 22, 2011, at 9:47 PM, alexus wrote:
>
>> directory is already there... i created it
>>
>> here is my new output
>>
>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>
>>        --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/usr/local/etc/snort.conf"
>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar 'SHELLCODE_PORTS'
>> defined :  [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined :  [
>> 1024:65535 ] PortVar 'SSH_PORTS' defined :  [ 22 65535 ] PortVar
>> 'FTP_PORTS' defined :  [ 20:21 ]
>> Detection:
>>   Search-Method = AC-Full-Q
>>    Split Any/Any group = enabled
>>    Search-Method-Optimizations = enabled
>>    Maximum pattern length = 20
>> Tagged Packet Limit: 256
>> Loading dynamic engine
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all
>> dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>> Warning: No dynamic libraries found in directory
>> /usr/local/lib/snort_dynamicrules!
>>  Finished Loading all dynamic detection libs from
>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>> done
>>  Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>> done
>>  Finished Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/
>> Log directory = /var/log/snort
>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>> normalizations disabled because not inlineWARNING: icmp4
>> normalizations disabled because not inlineWARNING: ip6 normalizations
>> disabled because not inlineWARNING: icmp6 normalizations disabled
>> because not inlineFrag3 global config:
>>    Max frags: 65536
>>    Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>    Target-based policy: WINDOWS
>>    Fragment timeout: 180 seconds
>>    Fragment min_ttl:   1
>>    Fragment Problems: 1
>>    Overlap Limit:     10
>>    Min fragment Length:     100
>> Stream5 global config:
>>    Track TCP sessions: ACTIVE
>>    Max TCP sessions: 262144
>>    Memcap (for reassembly packet storage): 8388608
>>    Track UDP sessions: ACTIVE
>>    Max UDP sessions: 131072
>>    Track ICMP sessions: INACTIVE
>>    Log info if session memory consumption exceeds 1048576
>>    Send up to 2 active responses
>>    Wait at least 5 seconds between responses
>> Stream5 TCP Policy config:
>>    Reassembly Policy: WINDOWS
>>    Timeout: 180 seconds
>>    Limit on TCP Overlaps: 10
>>    Maximum number of bytes to queue per session: 1048576
>>    Maximum number of segs to queue per session: 2621
>>    Options:
>>        Require 3-Way Handshake: YES
>>        3-Way Handshake Timeout: 180
>>        Detect Anomalies: YES
>>    Reassembly Ports:
>>      21 client (Footprint)
>>      22 client (Footprint)
>>      23 client (Footprint)
>>      25 client (Footprint)
>>      42 client (Footprint)
>>      53 client (Footprint)
>>      79 client (Footprint)
>>      80 client (Footprint) server (Footprint)
>>      81 client (Footprint) server (Footprint)
>>      109 client (Footprint)
>>      110 client (Footprint)
>>      111 client (Footprint)
>>      113 client (Footprint)
>>      119 client (Footprint)
>>      135 client (Footprint)
>>      136 client (Footprint)
>>      137 client (Footprint)
>>      139 client (Footprint)
>>      143 client (Footprint)
>>      161 client (Footprint)
>> Stream5 UDP Policy config:
>>    Timeout: 180 seconds
>> HttpInspect Config:
>>    GLOBAL CONFIG
>>      Max Pipeline Requests:    0
>>      Inspection Type:          STATELESS
>>      Detect Proxy Usage:       NO
>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>      IIS Unicode Map Codepage: 1252
>>      Max Gzip Memory: 838860
>>      Max Gzip Sessions: 6
>>      Gzip Compress Depth: 65535
>>      Gzip Decompress Depth: 65535
>>    DEFAULT SERVER CONFIG:
>>      Server profile: All
>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>> 8243 8280 8888 9090 9091 9443 9999 11371
>>      Server Flow Depth: 0
>>      Client Flow Depth: 0
>>      Max Chunk Length: 500000
>>      Max Header Field Length: 750
>>      Max Number Header Fields: 100
>>      Inspect Pipeline Requests: YES
>>      URI Discovery Strict Mode: NO
>>      Allow Proxy Usage: NO
>>      Disable Alerting: NO
>>      Oversize Dir Length: 500
>>      Only inspect URI: NO
>>      Normalize HTTP Headers: NO
>>      Inspect HTTP Cookies: YES
>>      Inspect HTTP Responses: YES
>>      Extract Gzip from responses: YES
>>      Unlimited decompression of gzip data from responses: YES
>>      Normalize HTTP Cookies: NO
>>      Enable XFF and True Client IP: NO
>>      Extended ASCII code support in URI: NO
>>      Ascii: YES alert: NO
>>      Double Decoding: YES alert: NO
>>      %U Encoding: YES alert: YES
>>      Bare Byte: YES alert: NO
>>      Base36: OFF
>>      UTF 8: YES alert: NO
>>      IIS Unicode: YES alert: NO
>>      Multiple Slash: YES alert: NO
>>      IIS Backslash: YES alert: NO
>>      Directory Traversal: YES alert: NO
>>      Web Root Traversal: YES alert: NO
>>      Apache WhiteSpace: YES alert: NO
>>      IIS Delimiter: YES alert: NO
>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments:
>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>> 32776 32777 32778 32779
>>    alert_fragments: INACTIVE
>>    alert_large_fragments: INACTIVE
>>    alert_incomplete: INACTIVE
>>    alert_multiple_requests: INACTIVE
>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
>> version 1.1.5 (-1) Fatal Error, Quitting..
>> su-3.2#
>>
>> can someone explain me what this means? how do I get rid of it/fix it?
>>
>>
>> On Mon, Aug 22, 2011 at 8:56 PM, Joel Esler <jesler at ...1935...> wrote:
>>> I recommend the use of pulledpork to be able to manage your Snort rules and place the Shared Object rules that exist in the correct directory.
>>>
>>> First, start by creating that directory.
>>>
>>> Joel
>>>
>>> On Aug 22, 2011, at 8:17 PM, alexus wrote:
>>>
>>>> i created that directory so now new output
>>>>
>>>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>>>
>>>>        --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Initializing Preprocessors!
>>>> Initializing Plug-ins!
>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS' defined
>>>> :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>> Detection:
>>>>   Search-Method = AC-Full-Q
>>>>    Split Any/Any group = enabled
>>>>    Search-Method-Optimizations = enabled
>>>>    Maximum pattern length = 20
>>>> Tagged Packet Limit: 256
>>>> Loading dynamic engine
>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading
>>>> all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>> Warning: No dynamic libraries found in directory
>>>> /usr/local/lib/snort_dynamicrules!
>>>>  Finished Loading all dynamic detection libs from
>>>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>>>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>> done
>>>>  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>> done  Loading dynamic preprocessor library
>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>> done
>>>>  Finished Loading all dynamic preprocessor libs from
>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>> Log directory = /var/log/snort
>>>> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
>>>> normalizations disabled because not inlineWARNING: icmp4
>>>> normalizations disabled because not inlineWARNING: ip6
>>>> normalizations disabled because not inlineWARNING: icmp6
>>>> normalizations disabled because not inlineFrag3 global config:
>>>>    Max frags: 65536
>>>>    Fragment memory cap: 4194304 bytes
>>>> Frag3 engine config:
>>>>    Target-based policy: WINDOWS
>>>>    Fragment timeout: 180 seconds
>>>>    Fragment min_ttl:   1
>>>>    Fragment Problems: 1
>>>>    Overlap Limit:     10
>>>>    Min fragment Length:     100
>>>> Stream5 global config:
>>>>    Track TCP sessions: ACTIVE
>>>>    Max TCP sessions: 262144
>>>>    Memcap (for reassembly packet storage): 8388608
>>>>    Track UDP sessions: ACTIVE
>>>>    Max UDP sessions: 131072
>>>>    Track ICMP sessions: INACTIVE
>>>>    Log info if session memory consumption exceeds 1048576
>>>>    Send up to 2 active responses
>>>>    Wait at least 5 seconds between responses
>>>> Stream5 TCP Policy config:
>>>>    Reassembly Policy: WINDOWS
>>>>    Timeout: 180 seconds
>>>>    Limit on TCP Overlaps: 10
>>>>    Maximum number of bytes to queue per session: 1048576
>>>>    Maximum number of segs to queue per session: 2621
>>>>    Options:
>>>>        Require 3-Way Handshake: YES
>>>>        3-Way Handshake Timeout: 180
>>>>        Detect Anomalies: YES
>>>>    Reassembly Ports:
>>>>      21 client (Footprint)
>>>>      22 client (Footprint)
>>>>      23 client (Footprint)
>>>>      25 client (Footprint)
>>>>      42 client (Footprint)
>>>>      53 client (Footprint)
>>>>      79 client (Footprint)
>>>>      80 client (Footprint) server (Footprint)
>>>>      81 client (Footprint) server (Footprint)
>>>>      109 client (Footprint)
>>>>      110 client (Footprint)
>>>>      111 client (Footprint)
>>>>      113 client (Footprint)
>>>>      119 client (Footprint)
>>>>      135 client (Footprint)
>>>>      136 client (Footprint)
>>>>      137 client (Footprint)
>>>>      139 client (Footprint)
>>>>      143 client (Footprint)
>>>>      161 client (Footprint)
>>>> Stream5 UDP Policy config:
>>>>    Timeout: 180 seconds
>>>> HttpInspect Config:
>>>>    GLOBAL CONFIG
>>>>      Max Pipeline Requests:    0
>>>>      Inspection Type:          STATELESS
>>>>      Detect Proxy Usage:       NO
>>>>      IIS Unicode Map Filename: /usr/local/etc/unicode.map
>>>>      IIS Unicode Map Codepage: 1252
>>>>      Max Gzip Memory: 838860
>>>>      Max Gzip Sessions: 6
>>>>      Gzip Compress Depth: 65535
>>>>      Gzip Decompress Depth: 65535
>>>>    DEFAULT SERVER CONFIG:
>>>>      Server profile: All
>>>>      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>>>> 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180
>>>> 8181
>>>> 8243 8280 8888 9090 9091 9443 9999 11371
>>>>      Server Flow Depth: 0
>>>>      Client Flow Depth: 0
>>>>      Max Chunk Length: 500000
>>>>      Max Header Field Length: 750
>>>>      Max Number Header Fields: 100
>>>>      Inspect Pipeline Requests: YES
>>>>      URI Discovery Strict Mode: NO
>>>>      Allow Proxy Usage: NO
>>>>      Disable Alerting: NO
>>>>      Oversize Dir Length: 500
>>>>      Only inspect URI: NO
>>>>      Normalize HTTP Headers: NO
>>>>      Inspect HTTP Cookies: YES
>>>>      Inspect HTTP Responses: YES
>>>>      Extract Gzip from responses: YES
>>>>      Unlimited decompression of gzip data from responses: YES
>>>>      Normalize HTTP Cookies: NO
>>>>      Enable XFF and True Client IP: NO
>>>>      Extended ASCII code support in URI: NO
>>>>      Ascii: YES alert: NO
>>>>      Double Decoding: YES alert: NO
>>>>      %U Encoding: YES alert: YES
>>>>      Bare Byte: YES alert: NO
>>>>      Base36: OFF
>>>>      UTF 8: YES alert: NO
>>>>      IIS Unicode: YES alert: NO
>>>>      Multiple Slash: YES alert: NO
>>>>      IIS Backslash: YES alert: NO
>>>>      Directory Traversal: YES alert: NO
>>>>      Web Root Traversal: YES alert: NO
>>>>      Apache WhiteSpace: YES alert: NO
>>>>      IIS Delimiter: YES alert: NO
>>>>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>>>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>>>>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode
>>>> arguments:
>>>>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
>>>> 32776 32777 32778 32779
>>>>    alert_fragments: INACTIVE
>>>>    alert_large_fragments: INACTIVE
>>>>    alert_incomplete: INACTIVE
>>>>    alert_multiple_requests: INACTIVE
>>>> ERROR: Failed to initialize dynamic preprocessor: SF_DCERPC (IPV6)
>>>> version 1.1.5 (-1) Fatal Error, Quitting..
>>>> su-3.2#
>>>>
>>>>
>>>> On Mon, Aug 22, 2011 at 7:57 PM, alexus <alexus at ...11827...> wrote:
>>>>> guys, please help
>>>>>
>>>>> su-3.2# md5 snort-2.9.0.5.tar.gz
>>>>> MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355
>>>>> su-3.2# grep './configure' config.log  $ ./configure --enable-ipv6
>>>>> --enable-gre --enable-mpls --enable-targetbased
>>>>> --enable-decoder-preprocessor-rules --enable-ppm
>>>>> --enable-perfprofiling --enable-zlib --enable-active-response
>>>>> --enable-normalizer --enable-reload --enable-react
>>>>> --enable-flexresp3 su-3.2# snort -V
>>>>>
>>>>>   ,,_     -*> Snort! <*-
>>>>>  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
>>>>>   ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/snort/snort-team
>>>>>           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
>>>>>           Using libpcap version 1.2.0
>>>>>           Using PCRE version: 7.8 2008-09-05
>>>>>           Using ZLIB version: 1.2.3
>>>>>
>>>>> su-3.2# md5 snortrules-snapshot-2905.tar.gz
>>>>> MD5 (snortrules-snapshot-2905.tar.gz) =
>>>>> 58791cfc8efb4ac278f4c2effea935ff su-3.2# md5
>>>>> ../snortrules-snapshot-2905.tar.gz
>>>>> MD5 (../snortrules-snapshot-2905.tar.gz) =
>>>>> 58791cfc8efb4ac278f4c2effea935ff su-3.2# snort -c
>>>>> /usr/local/etc/snort.conf Running in IDS mode
>>>>>
>>>>>        --== Initializing Snort ==-- Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> Initializing Plug-ins!
>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS'
>>>>> defined :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>>> Detection:
>>>>>   Search-Method = AC-Full-Q
>>>>>    Split Any/Any group = enabled
>>>>>    Search-Method-Optimizations = enabled
>>>>>    Maximum pattern length = 20
>>>>> ERROR: parser.c(5245) Could not stat dynamic module path
>>>>> "/usr/local/lib/snort_dynamicrules": No such file or directory.
>>>>> Fatal Error, Quitting..
>>>>> su-3.2# ls -dl /usr/local/lib/snort_dynamic*
>>>>> drwxr-xr-x  2 root  wheel   512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine
>>>>> drwxr-xr-x  2 root  wheel  1536 Aug 22 23:50
>>>>> /usr/local/lib/snort_dynamicpreprocessor
>>>>> su-3.2#
>>>>>
>>>>> where are those "snort_dynamicrules" comes from?
>>>>> what am I missing?
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus at ...11827...> wrote:
>>>>>> I download 2.8.6.1
>>>>>>
>>>>>> su-3.2# snort -V
>>>>>>
>>>>>>   ,,_     -*> Snort! <*-
>>>>>>  o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
>>>>>>   ''''    By Martin Roesch & The Snort Team:
>>>>>> http://www.snort.org/snort/snort-team
>>>>>>           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>>>           Using PCRE version: 7.8 2008-09-05
>>>>>>           Using ZLIB version: 1.2.3
>>>>>>
>>>>>> su-3.2#
>>>>>>
>>>>>> download ruleset for 2.8 and same thing... (it CRUSHES!!!)
>>>>>>
>>>>>> su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode
>>>>>>
>>>>>>        --== Initializing Snort ==-- Initializing Output Plugins!
>>>>>> Initializing Preprocessors!
>>>>>> Initializing Plug-ins!
>>>>>> Parsing Rules file "/usr/local/etc/snort.conf"
>>>>>> PortVar 'HTTP_PORTS' defined :  [ 80 3128 ] PortVar
>>>>>> 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ] PortVar
>>>>>> 'ORACLE_PORTS' defined :  [ 1024:65535 ] PortVar 'SSH_PORTS'
>>>>>> defined :  [ 22 65535 ] PortVar 'FTP_PORTS' defined :  [ 20:21 ]
>>>>>> Detection:
>>>>>>   Search-Method = AC-Full-Q
>>>>>>    Split Any/Any group = enabled
>>>>>>    Search-Method-Optimizations = enabled
>>>>>>    Maximum pattern length = 20
>>>>>> Tagged Packet Limit: 256
>>>>>> Loading dynamic engine
>>>>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading
>>>>>> all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
>>>>>>  Loading dynamic detection library
>>>>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
>>>>>> done
>>>>>>  Finished Loading all dynamic detection libs from
>>>>>> /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor
>>>>>> libs from /usr/local/lib/snort_dynamicpreprocessor/...
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
>>>>>> done  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
>>>>>> done  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
>>>>>> done  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
>>>>>> done
>>>>>>  Loading dynamic preprocessor library
>>>>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
>>>>>> done  Finished Loading all dynamic preprocessor libs from
>>>>>> /usr/local/lib/snort_dynamicpreprocessor/
>>>>>> Log directory = /var/log/snort
>>>>>> Segmentation fault: 11 (core dumped) su-3.2#
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>>>>> On 8/17/2011 11:07, alexus wrote:
>>>>>>>> it seems like it's failing on part #5
>>>>>>>> (preprocessors(rpc_decode))
>>>>>>>>
>>>>>>>>
>>>>>>>> su-3.2# snort -sc /usr/local/etc/snort.conf Running in IDS mode
>>>>>>>>
>>>>>>>>          --== Initializing Snort ==--
>>>>>>> [TRIM]
>>>>>>>> rpc_decode arguments:
>>>>>>>>      Ports to decode RPC on: 111 32770 32771 32772 32773 32774
>>>>>>>> 32775
>>>>>>>> 32776 32777 32778 32779
>>>>>>>>      alert_fragments: INACTIVE
>>>>>>>>      alert_large_fragments: INACTIVE
>>>>>>>>      alert_incomplete: INACTIVE
>>>>>>>>      alert_multiple_requests: INACTIVE Segmentation fault: 11
>>>>>>>> (core dumped) su-3.2#
>>>>>>>
>>>>>>> in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line
>>>>>>> is the loading of the Portscan Detection Config... it is
>>>>>>> immediately after the alert_multiple_requests line... then i have the following sections...
>>>>>>>
>>>>>>>  FTPTelnet Config
>>>>>>>  SMTP Config
>>>>>>>  SSH Config
>>>>>>>  DCE/RPC 2 Preprocessor Configuration  DNS Configuration  SSLPP
>>>>>>> config  Initializing rule chains...
>>>>>>>
>>>>>>> maybe this helps somewhat?
>>>>>>>
>>>>>>> -----------------------------------------------------------------
>>>>>>> ------------- Get a FREE DOWNLOAD! and learn more about uberSVN
>>>>>>> rich system, user administration capabilities and model
>>>>>>> configuration. Take the hassle out of deploying and managing
>>>>>>> Subversion and the tools developers use with it.
>>>>>>> http://p.sf.net/sfu/wandisco-d2d-2
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net Go to this URL to change user
>>>>>>> options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>
>>>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://alexus.org/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://alexus.org/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> http://alexus.org/
>>>>
>>>> --------------------------------------------------------------------
>>>> ---------- Get a FREE DOWNLOAD! and learn more about uberSVN rich
>>>> system, user administration capabilities and model configuration.
>>>> Take the hassle out of deploying and managing Subversion and the
>>>> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>>
>>
>>
>>
>> --
>> http://alexus.org/
>
>



-- 
http://alexus.org/




More information about the Snort-users mailing list