[Snort-users] Hello Snort Team

rmkml rmkml at ...17498...
Sun May 21 11:34:49 EDT 2017


Dear Paul,
Could you extract line 257 ?
Best Regards
@Rmkml


On Sun, 21 May 2017, Paul Trimby wrote:

>
>
> Good Day
>
>
> I've been successful installing snort on my Linux OS Mint version 17.2
> but keep getting an ERROR message after running $ sudo snort
> -c/etc/snort/snort.conf -T
>
> The output looks like this:
>
> x at ...888... /usr/local/bin $ sudo snort -c/etc/snort/snort.conf -T
> Running in Test mode
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/etc/snort/snort.conf"
> /etc/snort/snort.conf(59) Var 'EXTERNAL_NET' redefined.
> PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801
> 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029
> 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988
> 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082
> 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 8800
> 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601
> 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423 53331
> 55252 55555 56712 ]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
> PortVar 'SSH_PORTS' defined :  [ 22 ]
> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
> PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591
> 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381
> 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173
> 6988 7000:7001 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028
> 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500
> 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371
> 12601 15489 29991 33300 34412 34443:34444 41080 44449 50000 50002 51423
> 53331 55252 55555 56712 ]
> PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
> Detection:
>   Search-Method = AC-Full-Q
>    Split Any/Any group = enabled
>    Search-Method-Optimizations = enabled
>    Maximum pattern length = 20
> Tagged Packet Limit: 256
> Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so...
> done
> Loading all dynamic detection libs from /usr/lib/snort_dynamicrules...
> WARNING: No dynamic libraries found in
> directory /usr/lib/snort_dynamicrules.
>  Finished Loading all dynamic detection libs
> from /usr/lib/snort_dynamicrules
> Loading all dynamic preprocessor libs
> from /usr/lib/snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
> done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
> done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
> done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>  Loading dynamic preprocessor
> library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>  Finished Loading all dynamic preprocessor libs
> from /usr/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> WARNING: ip4 normalizations disabled because not inline.
> WARNING: tcp normalizations disabled because not inline.
> WARNING: icmp4 normalizations disabled because not inline.
> WARNING: ip6 normalizations disabled because not inline.
> WARNING: icmp6 normalizations disabled because not inline.
> Frag3 global config:
>    Max frags: 65536
>    Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>    Bound Address: default
>    Target-based policy: WINDOWS
>    Fragment timeout: 180 seconds
>    Fragment min_ttl:   1
>    Fragment Anomalies: Alert
>    Overlap Limit:     10
>    Min fragment Length:     100
> Stream5 global config:
>    Track TCP sessions: ACTIVE
>    Max TCP sessions: 262144
>    TCP cache pruning timeout: 30 seconds
>    TCP cache nominal timeout: 3600 seconds
>    Memcap (for reassembly packet storage): 8388608
>    Track UDP sessions: ACTIVE
>    Max UDP sessions: 131072
>    UDP cache pruning timeout: 30 seconds
>    UDP cache nominal timeout: 180 seconds
>    Track ICMP sessions: INACTIVE
>    Track IP sessions: INACTIVE
>    Log info if session memory consumption exceeds 1048576
>    Send up to 2 active responses
>    Wait at least 5 seconds between responses
>    Protocol Aware Flushing: ACTIVE
>        Maximum Flush Point: 16000
>      Max Expected Streams: 768
> Stream5 TCP Policy config:
>    Bound Address: default
>    Reassembly Policy: WINDOWS
>    Timeout: 180 seconds
>    Limit on TCP Overlaps: 10
>    Maximum number of bytes to queue per session: 1048576
>    Maximum number of segs to queue per session: 2621
>    Options:
>        Require 3-Way Handshake: YES
>        3-Way Handshake Timeout: 180
>        Detect Anomalies: YES
>    Reassembly Ports:
>      21 client (Footprint)
>      22 client (Footprint)
>      23 client (Footprint)
>      25 client (Footprint)
>      36 client (Footprint) server (Footprint)
>      42 client (Footprint)
>      53 client (Footprint)
>      70 client (Footprint)
>      79 client (Footprint)
>      80 client (Footprint) server (Footprint)
>      81 client (Footprint) server (Footprint)
>      82 client (Footprint) server (Footprint)
>      83 client (Footprint) server (Footprint)
>      84 client (Footprint) server (Footprint)
>      85 client (Footprint) server (Footprint)
>      86 client (Footprint) server (Footprint)
>      87 client (Footprint) server (Footprint)
>      88 client (Footprint) server (Footprint)
>      89 client (Footprint) server (Footprint)
>      90 client (Footprint) server (Footprint)
>      additional ports configured but not printed.
> Stream5 UDP Policy config:
>    Timeout: 180 seconds
> HttpInspect Config:
>    GLOBAL CONFIG
>      Max Pipeline Requests:    0
>      Inspection Type:          STATELESS
>      Detect Proxy Usage:       NO
>      IIS Unicode Map Filename: /etc/snort/unicode.map
>      IIS Unicode Map Codepage: 1252
>      Memcap used for logging URI and Hostname: 150994944
>      Max Gzip Memory: 104857600
>      Max Gzip Sessions: 689852
>      Gzip Compress Depth: 65535
>      Gzip Decompress Depth: 65535
>    DEFAULT SERVER CONFIG:
>      Server profile: All
>      Ports (PAF): 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591
> 593 631 801 808 818 901 972 1158 1220 1414 1741 1830 2231 2301 2381 2809
> 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988
> 7000 7001 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081
> 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509
> 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601
> 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331
> 55252 55555 56712
>      Server Flow Depth: 0
>      Client Flow Depth: 0
>      Max Chunk Length: 500000
>      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
>      Max Header Field Length: 750
>      Max Number Header Fields: 100
>      Max Number of WhiteSpaces allowed with header folding: 200
>      Inspect Pipeline Requests: YES
>      URI Discovery Strict Mode: NO
>      Allow Proxy Usage: NO
>      Disable Alerting: NO
>      Oversize Dir Length: 500
>      Only inspect URI: NO
>      Normalize HTTP Headers: NO
>      Inspect HTTP Cookies: YES
>      Inspect HTTP Responses: YES
>      Extract Gzip from responses: YES
>      Unlimited decompression of gzip data from responses: YES
>      Normalize Javascripts in HTTP Responses: YES
>      Max Number of WhiteSpaces allowed with Javascript Obfuscation in
> HTTP responses: 200
>      Normalize HTTP Cookies: NO
>      Enable XFF and True Client IP: NO
>      Log HTTP URI data: NO
>      Log HTTP Hostname data: NO
>      Extended ASCII code support in URI: NO
>      Ascii: YES alert: NO
>      Double Decoding: YES alert: NO
>      %U Encoding: YES alert: YES
>      Bare Byte: YES alert: NO
>      UTF 8: YES alert: NO
>      IIS Unicode: YES alert: NO
>      Multiple Slash: YES alert: NO
>      IIS Backslash: YES alert: NO
>      Directory Traversal: YES alert: NO
>      Web Root Traversal: YES alert: NO
>      Apache WhiteSpace: YES alert: NO
>      IIS Delimiter: YES alert: NO
>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
> 0x07
>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
> 32776 32777 32778 32779
>    alert_fragments: INACTIVE
>    alert_large_fragments: INACTIVE
>    alert_incomplete: INACTIVE
>    alert_multiple_requests: INACTIVE
> FTPTelnet Config:
>    GLOBAL CONFIG
>      Inspection Type: stateful
>      Check for Encrypted Traffic: YES alert: NO
>      Continue to check encrypted data: YES
>    TELNET CONFIG:
>      Ports: 23
>      Are You There Threshold: 20
>      Normalize: YES
>      Detect Anomalies: YES
>    FTP CONFIG:
>      FTP Server: default
>        Ports (PAF): 21 2100 3535
>        Check for Telnet Cmds: YES alert: YES
>        Ignore Telnet Cmd Operations: YES alert: YES
>        Ignore open data channels: NO
>      FTP Client: default
>        Check for Bounce Attacks: YES alert: YES
>        Check for Telnet Cmds: YES alert: YES
>        Ignore Telnet Cmd Operations: YES alert: YES
>        Max Response Length: 256
> SMTP Config:
>    Ports: 25 465 587 691
>    Inspection Type: Stateful
>    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
> EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
> STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
> XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT
> X-DRCP X-ERCP X-EXCH50
>    Ignore Data: No
>    Ignore TLS Data: No
>    Ignore SMTP Alerts: No
>    Max Command Line Length: 512
>    Max Specific Command Line Length:
>       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255
>       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255
>       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500
>       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246
>       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246
>       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246
>       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246
>       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246
>       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246
>       XUSR:246
>    Max Header Line Length: 1000
>    Max Response Line Length: 512
>    X-Link2State Alert: Yes
>    Drop on X-Link2State Alert: No
>    Alert on commands: None
>    Alert on unknown commands: No
>    SMTP Memcap: 838860
>    MIME Max Mem: 838860
>    Base64 Decoding: Enabled
>    Base64 Decoding Depth: Unlimited
>    Quoted-Printable Decoding: Enabled
>    Quoted-Printable Decoding Depth: Unlimited
>    Unix-to-Unix Decoding: Enabled
>    Unix-to-Unix Decoding Depth: Unlimited
>    Non-Encoded MIME attachment Extraction: Enabled
>    Non-Encoded MIME attachment Extraction Depth: Unlimited
>    Log Attachment filename: Enabled
>    Log MAIL FROM Address: Enabled
>    Log RCPT TO Addresses: Enabled
>    Log Email Headers: Enabled
>    Email Hdrs Log Depth: 1464
> SSH config:
>    Autodetection: ENABLED
>    Challenge-Response Overflow Alert: ENABLED
>    SSH1 CRC32 Alert: ENABLED
>    Server Version String Overflow Alert: ENABLED
>    Protocol Mismatch Alert: ENABLED
>    Bad Message Direction Alert: DISABLED
>    Bad Payload Size Alert: DISABLED
>    Unrecognized Version Alert: DISABLED
>    Max Encrypted Packets: 20
>    Max Server Version String Length: 100
>    MaxClientBytes: 19600 (Default)
>    Ports:
> 	22
> DCE/RPC 2 Preprocessor Configuration
>  Global Configuration
>    DCE/RPC Defragmentation: Enabled
>    Memcap: 102400 KB
>    Events: co
>    SMB Fingerprint policy: Disabled
>  Server Default Configuration
>    Policy: WinXP
>    Detect ports (PAF)
>      SMB: 139 445
>      TCP: 135
>      UDP: 135
>      RPC over HTTP server: 593
>      RPC over HTTP proxy: None
>    Autodetect ports (PAF)
>      SMB: None
>      TCP: 1025-65535
>      UDP: 1025-65535
>      RPC over HTTP server: 1025-65535
>      RPC over HTTP proxy: None
>    Invalid SMB shares: C$ D$ ADMIN$
>    Maximum SMB command chaining: 3 commands
>    SMB file inspection: Disabled
> DNS config:
>    DNS Client rdata txt Overflow Alert: ACTIVE
>    Obsolete DNS RR Types Alert: INACTIVE
>    Experimental DNS RR Types Alert: INACTIVE
>    Ports: 53
> SSLPP config:
>    Encrypted packets: not inspected
>    Ports:
>      443      465      563      636      989
>      992      993      994      995     7801
>     7802     7900     7901     7902     7903
>     7904     7905     7906     7907     7908
>     7909     7910     7911     7912     7913
>     7914     7915     7916     7917     7918
>     7919     7920
>    Server side data is trusted
> Sensitive Data preprocessor config:
>    Global Alert Threshold: 25
>    Masked Output: DISABLED
> SIP config:
>    Max number of sessions: 40000
>    Max number of dialogs in a session: 4 (Default)
>    Status: ENABLED
>    Ignore media channel: DISABLED
>    Max URI length: 512
>    Max Call ID length: 80
>    Max Request name length: 20 (Default)
>    Max From length: 256 (Default)
>    Max To length: 256 (Default)
>    Max Via length: 1024 (Default)
>    Max Contact length: 512
>    Max Content length: 2048
>    Ports:
> 	5060	5061	5600
>    Methods:
> 	  invite cancel ack bye register options refer subscribe update join
> info message notify benotify do qauth sprack publish service unsubscribe
> prack
> IMAP Config:
>    Ports: 143
>    IMAP Memcap: 838860
>    MIME Max Mem: 838860
>    Base64 Decoding: Enabled
>    Base64 Decoding Depth: Unlimited
>    Quoted-Printable Decoding: Enabled
>    Quoted-Printable Decoding Depth: Unlimited
>    Unix-to-Unix Decoding: Enabled
>    Unix-to-Unix Decoding Depth: Unlimited
>    Non-Encoded MIME attachment Extraction: Enabled
>    Non-Encoded MIME attachment Extraction Depth: Unlimited
> POP Config:
>    Ports: 110
>    POP Memcap: 838860
>    MIME Max Mem: 838860
>    Base64 Decoding: Enabled
>    Base64 Decoding Depth: Unlimited
>    Quoted-Printable Decoding: Enabled
>    Quoted-Printable Decoding Depth: Unlimited
>    Unix-to-Unix Decoding: Enabled
>    Unix-to-Unix Decoding Depth: Unlimited
>    Non-Encoded MIME attachment Extraction: Enabled
>    Non-Encoded MIME attachment Extraction Depth: Unlimited
> Modbus config:
>    Ports:
> 	502
> DNP3 config:
>    Memcap: 262144
>    Check Link-Layer CRCs: ENABLED
>    Ports:
> 	20000
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: /etc/snort/snort.conf(257) Unknown rule type: path.
> Fatal Error, Quitting..
> x at ...888... /usr/local/bin $
>
> Would you be able to explain to me how I could fix this ERROR message
>
> Thank You!
>
> Paul
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>




More information about the Snort-users mailing list