[Snort-users] community.rules file - failure error during restart or start of snort

Michael Brown mike.a.brown09 at ...11827...
Wed Apr 30 15:52:18 EDT 2014


The issue is that you have an invalid $FILE_DATA_PORTS value. You need this
to be a port number or a port range not an IP address.

---
Thank you,

Michael A. Brown
mike.a.brown09 at ...11827...
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do
nothing" -Edmund Burke


On Wed, Apr 30, 2014 at 3:47 PM, Farnsworth, Robert <
robert.farnsworth at ...6440...> wrote:

>  Here’s an more updated /var/adm/messages with the line enabled. Hope
> this helps.
>
>
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Frag3
> statistics:
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Total Fragments: 7058
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Frags Reassembled: 1850
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                Discards: 3198
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Memory Faults: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                Timeouts: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                Overlaps: 1599
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               Anomalies: 1599
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                  Alerts: 1599
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                   Drops: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> FragTrackers Added: 3239
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
>     FragTrackers Dumped: 3239
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> FragTrackers Auto Freed: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Frag
> Nodes Inserted: 5459
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]      Frag
> Nodes Deleted: 5459
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> ===============================================================================
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Stream5
> statistics:
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]             Total sessions: 47790
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               TCP sessions: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               UDP sessions: 47790
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]              ICMP sessions: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
>                IP sessions: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                 TCP Prunes: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                 UDP Prunes: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                ICMP Prunes: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                  IP Prunes: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP
> StreamTrackers Created: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP
> StreamTrackers Deleted: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               TCP Timeouts: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               TCP Overlaps: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]        TCP
> Segments Queued: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]      TCP
> Segments Released: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]        TCP
> Rebuilt Packets: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> TCP Segments Used: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               TCP Discards: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                   TCP Gaps: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]       UDP
> Sessions Created: 47790
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]       UDP
> Sessions Deleted: 47790
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               UDP Timeouts: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]               UDP Discards: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                     Events: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Internal Events: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> TCP Port Filter
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                    Dropped: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                  Inspected: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                    Tracked: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> UDP Port Filter
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                    Dropped: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                  Inspected: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911
> daemon.notice]                    Tracked: 47790
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> ===============================================================================
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP
> Inspect - encodings (Note: stream-reassembled packets included):
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     POST
> methods:                         0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     GET
> methods:                          0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP
> Request Headers extracted:       0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP
> Request Cookies extracted:       0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Post
> parameters extracted:            0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP
> response Headers extracted:      0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP
> Response Cookies extracted:      0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Unicode:                              0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Double
> unicode:                       0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Non-ASCII representable:              0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Directory traversals:                 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Extra
> slashes ("//"):                 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> Self-referencing paths ("./"):        0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     HTTP
> Response Gzip packets extracted: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Gzip
> Compressed Data Processed:       n/a
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Gzip
> Decompressed Data Processed:     n/a
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]     Total
> packets processed:              8666800
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> ===============================================================================
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] SMTP
> Preprocessor Statistics
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]   Total
> sessions                                    : 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]   Max
> concurrent sessions                           : 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> ===============================================================================
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] dcerpc2
> Preprocessor Statistics
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]   Total
> sessions: 0
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice]
> ===============================================================================
>
> Apr 30 15:45:26 serverx last message repeated 1 time
>
> Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Snort
> exiting
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2321) GID 1 SID 21255 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2322) GID 1 SID 21256 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2326) GID 1 SID 21327 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2332) GID 1 SID 21475 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2386) GID 1 SID 24034 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2399) GID 1 SID 25119 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2434) GID 1 SID 25946 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2448) GID 1 SID 26265 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2465) GID 1 SID 26399 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2466) GID 1 SID 26400 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2467) GID 1 SID 26401 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2468) GID 1 SID 26402 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2469) GID 1 SID 26403 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2470) GID 1 SID 26404 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2471) GID 1 SID 26405 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2472) GID 1 SID 26406 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2473) GID 1 SID 26407 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2474) GID 1 SID 26408 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING:
> ../rules/community.rules(2475) GID 1 SID 26409 in rule duplicates previous
> rule. Ignoring old rule.
>
> Apr 30 15:45:27 serverx snort[29457]: [ID 379120 daemon.error] FATAL
> ERROR: ../rules/community.rules(2488) ***PortVar Lookup failed on
> '$FILE_DATA_PORTS'.
>
> 167 serverx /usr/local/snort/etc$
>
>
>
> *From:* Michael Brown [mailto:mike.a.brown09 at ...11827...]
> *Sent:* Wednesday, April 30, 2014 3:45 PM
> *To:* Farnsworth, Robert
> *Cc:* Joel Esler (jesler); snort-users at lists.sourceforge.net; waldo kitty
>
> *Subject:* Re: [Snort-users] community.rules file - failure error during
> restart or start of snort
>
>
>
> Can you give us the same output when you have that line enabled?
>
>
>   ---
> Thank you,
>
> Michael A. Brown
> mike.a.brown09 at ...11827...
> (757) 912-0836
>
> M.S. Forensic Studies: Computer Forensics
> B.S. Information Technology: Network Specialist
>
> "The only thing necessary for the triumph of evil is for good men to do
> nothing" -Edmund Burke
>
>
>
> On Wed, Apr 30, 2014 at 3:37 PM, Farnsworth, Robert <
> robert.farnsworth at ...6440...> wrote:
>
>  LOL, that was after removing the community.rules entry from the
> snort.conf
>
>
>
> So yes it does start after removing or commenting out the
> $RULE_PATH/community.rules
>
>
>
> But does not start with the entry included in the file, hence the reason I
> am e-mailing this community.
>
>
>
> *From:* Joel Esler (jesler) [mailto:jesler at ...589...]
> *Sent:* Wednesday, April 30, 2014 3:33 PM
> *To:* Farnsworth, Robert
> *Cc:* waldo kitty; snort-users at lists.sourceforge.net
>
>
> *Subject:* Re: [Snort-users] community.rules file - failure error during
> restart or start of snort
>
>
>
> On Apr 30, 2014, at 3:21 PM, Farnsworth, Robert <robert.farnsworth at ...14790...0...>
> wrote:
>
>
>
> Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Commencing
> packet processing (pid=23008)
>
>
>
> Looks like it started to me.
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140430/2ba55987/attachment.html>


More information about the Snort-users mailing list