[Snort-users] Understanding how to debug snort.config

Russ rucombs at ...589...
Wed Dec 7 12:07:39 EST 2016


It looks like you are missing the trailing \ on the line ahead of 
decompress_pdf which is part of the preprocessor http_inspect_server 
configuration.  Without that trailing \ Snort thinks decompress_pdf must 
be the start of a rule.

You can check the Snort user manual for the configuration of the HTTP 
preprocessor.  That option enables detection within certain compressed 
blobs in PDF files returned by an HTTP server.

On 12/7/16 11:02 AM, Jared F wrote:
>
> Thanks Russ!  That was exactly it and deleted the Izma entry on line 
> (325) but ran into another Error on (326) :
>
> ERROR: F:\Snort\etc\snort.conf(326) Unknown rule type: decompress_pdf.
>
> I promptly commented it out and now the conf file validates but is 
> their a resource that can inform me what this lines initial action was 
> supposed to do?  And why I would want it to run?  Thanks again and 
> your assistance is much appreciated!
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Russ <rucombs at ...589...>
> *Sent:* Tuesday, December 6, 2016 6:47 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Understanding how to debug snort.config
> This looks like the same error others have reported recently.  If your 
> lines look like the below you need to remove lzma from decompress_swf 
> or install liblzma.  The error message is confusing because there is a 
> bug with the error message itself.
>
> Line 325: decompress_swf { deflate lzma } \
>
> Line 326: decompress_pdf { deflate }
>
>
>
> On 12/6/16 6:48 PM, wkitty42 at ...14940... wrote:
>> On 12/06/2016 05:26 PM, Jared F wrote:
>>> I thought the (326) meant the line the error was coming from and although
>>> there is a bracket there it doesn't look wrong.  Where should I start
>>> learning how to troubleshoot snort?
>> you are correct... the error was discovered at line 326... look above it to find
>> the actual error... if you post that block, we can probably point the error out
>> to you real quick...
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161207/98685ba1/attachment.html>


More information about the Snort-users mailing list