[Snort-users] http_methods error starting snort on solaris 9

Lamont, Brian A. Brian.Lamont at ...17273...
Thu Aug 13 17:29:56 EDT 2015


I compared that area of the file with the snort.conf in /opt/snort/etc  and  there was no difference.    I think what you are seeing is an anomaly of cut and paste from text to email.   


-----Original Message-----
From: waldo kitty [mailto:wkitty42 at ...14940...] 
Sent: Thursday, August 13, 2015 12:44 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] http_methods error starting snort on solaris 9

On 08/13/2015 12:43 PM, Lamont, Brian A. wrote:
> I am picking up this snort install project from a person that has left 
> the company, so I'm very new and finding errors as I go.
>
> When I start snort by issuing ./snort.sh start it errors with,  FATAL ERROR:
> /etc/snort/snort.conf(339) => Invalid keyword 'http_methods' for server
> configuration.    I list the command further below.


your problem is here in your snort.conf file...

> # HTTP normalization and anomaly detection.  For more information, see 
> README.http_inspect #  removed, compress_depth 65535 and 
> decompress_depth 65535, from "http_inspect:" line below.  - BL 7/2015 # preprocessor http_inspect:
> global iis_unicode_map unicode.map 1252 preprocessor 
> http_inspect_server: server default \
>
>      http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK 
> NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE 
> TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH 
> BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST 
> SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>
>      chunk_length 500000 \
>

[chomp]

it appears that something has word wrapped your conf in this area... i suspect it should look like this...


# HTTP normalization and anomaly detection.  For more information, see 
README.http_inspect
#  removed, compress_depth 65535 and decompress_depth 65535, from 
"http_inspect:" line below.  - BL 7/2015
# preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
      http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL 
BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE 
SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT 
PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
      chunk_length 500000 \


with the rest of the lines following... i've cut it short here for space and 
ease of discussion... the above six lines i've cleaned up should have no word 
wrapping on them at all...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list