[Snort-users] http_methods error starting snort on solaris 9

waldo kitty wkitty42 at ...14940...
Thu Aug 13 15:43:38 EDT 2015


On 08/13/2015 12:43 PM, Lamont, Brian A. wrote:
> I am picking up this snort install project from a person that has left the
> company, so I'm very new and finding errors as I go.
>
> When I start snort by issuing ./snort.sh start it errors with,  FATAL ERROR:
> /etc/snort/snort.conf(339) => Invalid keyword 'http_methods' for server
> configuration.    I list the command further below.


your problem is here in your snort.conf file...

> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect #  removed, compress_depth 65535 and decompress_depth 65535,
> from "http_inspect:" line below.  - BL 7/2015 # preprocessor http_inspect:
> global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server
> default \
>
>      http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL
> BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE
> SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
> PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>
>      chunk_length 500000 \
>

[chomp]

it appears that something has word wrapped your conf in this area... i suspect 
it should look like this...


# HTTP normalization and anomaly detection.  For more information, see 
README.http_inspect
#  removed, compress_depth 65535 and decompress_depth 65535, from 
"http_inspect:" line below.  - BL 7/2015
# preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
      http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL 
BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE 
SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT 
PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
      chunk_length 500000 \


with the rest of the lines following... i've cut it short here for space and 
ease of discussion... the above six lines i've cleaned up should have no word 
wrapping on them at all...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list