[Snort-users] snort 2.9.9.0 error

Ed Borgoyn (eborgoyn) eborgoyn at ...589...
Fri Jan 13 09:23:10 EST 2017


This line controls which SWF file decompression algorithms are enabled.  By default, Snort is built with ZLIB (deflate) decompression libraries, but NOT LZMA libraries.  Specifying LZMA on this config line results in a config parsing error as without LZMA included, the LZMA keyword is unknown to the parser.  There is a pending bug to improve the parsing logic and produce a better error if/when the keyword is present but without LZMA support.

You can hashout (i.e. remove) this config line, but this will also remove the ZLIB/deflate file decompression mode also.  Removing the LZMA keyword will fix the parsing error but leave the deflate mode enabled.

Ed Borgoyn
Cisco Snort Development Team


From: Michael Steele <michaels at ...9077...>
Date: Friday, January 13, 2017 at 8:45 AM
To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] snort 2.9.9.0 error

What is the reason for changing the line below, shouldn’t it just be hashed out?

325:    decompress_swf { deflate lzma } \
325:    decompress_swf { deflate } \
Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************

From: Kumarswamy H N (kumhn) [mailto:kumhn at ...589...]
Sent: Friday, January 13, 2017 4:29 AM
To: Mojtaba Haghighipour <moj.haghighipour at ...11827...>; Michael Steele <michaels at ...9077...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort 2.9.9.0 error

Either you can install lzma package  or change the line 325 to decompress_swf { deflate } \

From: Mojtaba Haghighipour [mailto:moj.haghighipour at ...11827...]
Sent: Friday, January 13, 2017 2:42 PM
To: Michael Steele <michaels at ...9077...<mailto:michaels at ...9077...>>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] snort 2.9.9.0 error

it's  my 325 and 326 line..
325:    decompress_swf { deflate lzma } \
326:    decompress_pdf { deflate }
what should I do now??

On Fri, Jan 13, 2017 at 12:39 AM, Michael Steele <michaels at ...9077...<mailto:michaels at ...9077...>> wrote:
This has been around for months and should displayed as a warning and not a fatal error.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************

From: Ed Borgoyn (eborgoyn) [mailto:eborgoyn at ...589...<mailto:eborgoyn at ...589...>]
Sent: Thursday, January 12, 2017 12:52 PM
To: Jim Campbell <jim at ...17675...<mailto:jim at ...17675...>>; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] snort 2.9.9.0 error

Does line 326 of snort.conf look like:


decompress_swf { deflate lzma }


If so, then try removing the ‘lzma’ keyword.  If snort is not built with the LZMA libraries for LZMA SWF file decompression, then this keyword will lead to a syntax error.


Ed Borgoyn
Cisco Snort Development Team


From: Jim Campbell <jim at ...17675...<mailto:jim at ...17675...>>
Date: Thursday, January 12, 2017 at 12:20 PM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>" <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] snort 2.9.9.0 error

It's telling you that line 326 of snort.conf has an error. Perhaps a mismatched or out of place '}'
On 1/12/2017 2:28 AM, Mojtaba Haghighipour wrote:
hi ... it's error when I run snort with command:
snort -c  /etc/snort/rules/etc/snort.conf

ERROR: /etc/snort/rules/etc/snort.conf(326) => Invalid keyword '}' for server configuration.

Fatal Error, Quitting..





Please help me..





------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170113/b27f96bc/attachment.html>


More information about the Snort-users mailing list