[Snort-users] community.rules file - failure error during restart or start of snort

Farnsworth, Robert robert.farnsworth at ...6440...
Wed Apr 30 15:47:45 EDT 2014


Here’s an more updated /var/adm/messages with the line enabled. Hope this helps.

Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Frag3 statistics:
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]         Total Fragments: 7058
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]       Frags Reassembled: 1850
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                Discards: 3198
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]           Memory Faults: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                Timeouts: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                Overlaps: 1599
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               Anomalies: 1599
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                  Alerts: 1599
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                   Drops: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]      FragTrackers Added: 3239
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     FragTrackers Dumped: 3239
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] FragTrackers Auto Freed: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Frag Nodes Inserted: 5459
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]      Frag Nodes Deleted: 5459
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ===============================================================================
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Stream5 statistics:
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]             Total sessions: 47790
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               TCP sessions: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               UDP sessions: 47790
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]              ICMP sessions: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                IP sessions: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                 TCP Prunes: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                 UDP Prunes: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                ICMP Prunes: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                  IP Prunes: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP StreamTrackers Created: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP StreamTrackers Deleted: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               TCP Timeouts: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               TCP Overlaps: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]        TCP Segments Queued: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]      TCP Segments Released: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]        TCP Rebuilt Packets: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]          TCP Segments Used: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               TCP Discards: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                   TCP Gaps: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]       UDP Sessions Created: 47790
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]       UDP Sessions Deleted: 47790
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               UDP Timeouts: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]               UDP Discards: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                     Events: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]            Internal Events: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]            TCP Port Filter
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                    Dropped: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                  Inspected: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                    Tracked: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]            UDP Port Filter
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                    Dropped: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                  Inspected: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]                    Tracked: 47790
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ===============================================================================
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP Inspect - encodings (Note: stream-reassembled packets included):
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     POST methods:                         0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     GET methods:                          0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP Request Headers extracted:       0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP Request Cookies extracted:       0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Post parameters extracted:            0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP response Headers extracted:      0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP Response Cookies extracted:      0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Unicode:                              0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Double unicode:                       0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Non-ASCII representable:              0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Directory traversals:                 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Extra slashes ("//"):                 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Self-referencing paths ("./"):        0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP Response Gzip packets extracted: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Gzip Compressed Data Processed:       n/a
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Gzip Decompressed Data Processed:     n/a
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Total packets processed:              8666800
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ===============================================================================
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] SMTP Preprocessor Statistics
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]   Total sessions                                    : 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]   Max concurrent sessions                           : 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ===============================================================================
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] dcerpc2 Preprocessor Statistics
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]   Total sessions: 0
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ===============================================================================
Apr 30 15:45:26 serverx last message repeated 1 time
Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Snort exiting
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2321) GID 1 SID 21255 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2322) GID 1 SID 21256 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2326) GID 1 SID 21327 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2332) GID 1 SID 21475 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2386) GID 1 SID 24034 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2399) GID 1 SID 25119 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2434) GID 1 SID 25946 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2448) GID 1 SID 26265 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2465) GID 1 SID 26399 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2466) GID 1 SID 26400 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2467) GID 1 SID 26401 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2468) GID 1 SID 26402 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2469) GID 1 SID 26403 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2470) GID 1 SID 26404 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2471) GID 1 SID 26405 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2472) GID 1 SID 26406 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2473) GID 1 SID 26407 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2474) GID 1 SID 26408 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2475) GID 1 SID 26409 in rule duplicates previous rule. Ignoring old rule.
Apr 30 15:45:27 serverx snort[29457]: [ID 379120 daemon.error] FATAL ERROR: ../rules/community.rules(2488) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
167 serverx /usr/local/snort/etc$

From: Michael Brown [mailto:mike.a.brown09 at ...11827...]
Sent: Wednesday, April 30, 2014 3:45 PM
To: Farnsworth, Robert
Cc: Joel Esler (jesler); snort-users at lists.sourceforge.net; waldo kitty
Subject: Re: [Snort-users] community.rules file - failure error during restart or start of snort

Can you give us the same output when you have that line enabled?

---
Thank you,

Michael A. Brown
mike.a.brown09 at ...11827...<mailto:mike.a.brown09 at ...11827...>
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do nothing" -Edmund Burke

On Wed, Apr 30, 2014 at 3:37 PM, Farnsworth, Robert <robert.farnsworth at ...6440...<mailto:robert.farnsworth at ...6440...>> wrote:
LOL, that was after removing the community.rules entry from the snort.conf

So yes it does start after removing or commenting out the $RULE_PATH/community.rules

But does not start with the entry included in the file, hence the reason I am e-mailing this community.

From: Joel Esler (jesler) [mailto:jesler at ...589...<mailto:jesler at ...589...>]
Sent: Wednesday, April 30, 2014 3:33 PM
To: Farnsworth, Robert
Cc: waldo kitty; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>

Subject: Re: [Snort-users] community.rules file - failure error during restart or start of snort

On Apr 30, 2014, at 3:21 PM, Farnsworth, Robert <robert.farnsworth at ...6440...<mailto:robert.farnsworth at ...6440...>> wrote:

Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Commencing packet processing (pid=23008)

Looks like it started to me.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140430/9f68f509/attachment.html>


More information about the Snort-users mailing list