[Snort-users] Error while starting Snort 3

Y M snort at outlook.com
Thu Jul 19 13:40:46 EDT 2018


I have had the same AppID message but it never caused Snort to error out or quit. I just considered it a warning. Output of Snort running against a pcap is attached just in case if it helps.

YM
________________________________
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Mike Stepanek (mstepane) via Snort-users <snort-users at lists.snort.org>
Sent: Wednesday, July 18, 2018 7:53 PM
To: Ľubomír Bielik; snort-users at lists.snort.org
Subject: Re: [Snort-users] Error while starting Snort 3

Correction: The entries in that file are tab-delineated (my fingers got ahead of my brain).

In the appMapping.data file that you shared with me, it looks like the very first line is "bogus" (the one that doesn't look like any other line). I just downloaded it myself, and I see the same issue that you see. Somewhere along the way, we must have started including a bad line at the top of that file. We will work on getting that resolved.

Also, it looks like Snort2 and Snort3 AppIDs have a difference stance on the fatalness of bad app entries. We'll work on resolving that as well (and make a clearer message).

In the meantime, you should be able to just remove that first line, and it should work just fine. So, delete this line at the top (it shouldn't be there):

    Snort Differs AppKey vmware-remote-auth -> vmware-remote-a

Thanks for the report!

 - Mike Stepanek
   mstepane at cisco.com


On 7/18/18, 10:40 AM, "Mike Stepanek (mstepane)" <mstepane at cisco.com> wrote:

    It seems to be complaining about your appMapping.data in your ODP (with what looks to be an odd line in it). Which ODP are you using? Did you modify it at all? Anything odd looking in it (each line should basically look the same with a comma-separated list of strings and numbers)? Anything odd about how you configured it? I don't suppose we can get the file...

     - Mike Stepanek
       mstepane at cisco.com


    On 7/18/18, 7:41 AM, "Snort-users on behalf of Ľubomír Bielik via Snort-users" <snort-users-bounces at lists.snort.org on behalf of snort-users at lists.snort.org> wrote:

        Hi all,

        I am trying to install snort 3 on VM with centos 7.5 with this guide,
        however I fail to run snort against an interface like shown in the
        end.
        Guide:
        https://www.snort.org/documents/snort-3-on-centos-7

        While initialising search engine, i get fatal error and snort quits. I
        found nothing about this specific error.

        Error:
        --------------------------------------------------
        search engine
                        instances: 791
                         patterns: 81091
                    pattern chars: 1416781
                       num states: 1081210
                 num match states: 81083
                     memory scale: MB
                     total memory: 28.5913
                   pattern memory: 4.44377
                match list memory: 10.981
                transition memory: 13.0699
        Could not read app_name. Line Snort Differs AppKey vmware-remote-auth
        -> vmware-remote-a
        --------------------------------------------------
        pcap DAQ configured to passive.
        FATAL: see prior 1 errors (0 warnings)
        Fatal Error, Quitting..


        Any help please?
        _______________________________________________
        Snort-users mailing list
        Snort-users at lists.snort.org
        Go to this URL to change user options or unsubscribe:
        https://lists.snort.org/mailman/listinfo/snort-users

         To unsubscribe, send an email to:
         snort-users-leave at lists.snort.org

        Please visit http://blog.snort.org to stay current on all the latest Snort news!

        Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave at lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180719/9bde388c/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort3_output.txt
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180719/9bde388c/attachment.txt>


More information about the Snort-users mailing list