Re: snort-2.1.0 upgrade error

[Peggy Kam <ppkam () n-dsi com>]

Nevermind, I fixed my problems.

Peggy Kam wrote:

> Hi,
>
> I am currently having trouble upgrading from snort-2.0.4 to 
> snort-2.1.0.  I am not able to start snort and I get the following 
> error in the syslog:
>
> Feb  5 13:40:21 ndsapp su(pam_unix)[31698]: session opened for user 
> root by koadmin(uid=500)
> Feb  5 13:40:36 ndsapp snort: Initializing daemon mode
> Feb  5 13:40:36 ndsapp snort: PID path stat checked out ok, PID path 
> set to /var/run/
> Feb  5 13:40:36 ndsapp snort: Writing PID "31746" to file 
> "/var/run//snort_eth1.pid"
> Feb  5 13:40:36 ndsapp snort: FATAL ERROR: 
> /prod/etc/snort/snort.conf(285) => Invalid file name for IIS Unicode 
> Map file.
>
> And when I run snort without -D flag, I get:
>
> Starting Intrusion Database System: SNORT
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth1
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /prod/etc/snort/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>    Fragment timeout: 60 seconds
>    Fragment memory cap: 4194304 bytes
>    Fragment min_ttl:   0
>    Fragment ttl_limit: 5
>    Fragment Problems: 0
>    Self preservation threshold: 500
>    Self preservation period: 90
>    Suspend threshold: 1000
>    Suspend period: 30
> Stream4 config:
>    Stateful inspection: ACTIVE
>    Session statistics: INACTIVE
>    Session timeout: 30 seconds
>    Session memory cap: 8388608 bytes
>    State alerts: INACTIVE
>    Evasion alerts: INACTIVE
>    Scan alerts: INACTIVE
>    Log Flushed Streams: INACTIVE
>    MinTTL: 1
>    TTL Limit: 5
>    Async Link: 0
>    State Protection: 0
>    Self preservation threshold: 50
>    Self preservation period: 90
>    Suspend threshold: 200
>    Suspend period: 30
> Stream4_reassemble config:
>    Server reassembly: INACTIVE
>    Client reassembly: ACTIVE
>    Reassembler alerts: ACTIVE
>    Zero out flushed packets: INACTIVE
>    flush_data_diff_size: 500
>    Ports: 21 23 25 53 80 110 111 143 513 1433
>    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> ERROR: /prod/etc/snort/snort.conf(285) => Invalid file name for IIS 
> Unicode Map file.
> Fatal Error, Quitting..
>
>
>
>
>
>                 I have already updated my config files and the rulesets.
>
> When I try /prod/bin/snort -V:
>
> I get
> -*> Snort! <*-
> Version 2.1.0 (Build 9)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
>
>
>
> When I try /prod/bin/snort -T:
>
> I get:
>
> -*> Snort! <*-
> Version 2.1.0 (Build 9)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
> USAGE: /prod/bin/snort [-options] <filter options>
> Options:
>        -A         Set alert mode: fast, full, console, or none  (alert 
> file alerts only)
>                   "unsock" enables UNIX socket logging (experimental).
>        -b         Log packets in tcpdump format (much faster!)
>        -c <rules> Use Rules File <rules>
>        -C         Print out payloads with character data only (no hex)
>        -d         Dump the Application Layer
>        -D         Run Snort in background (daemon) mode
>        -e         Display the second layer header info
>        -f         Turn off fflush() calls after binary log writes
>        -F <bpf>   Read BPF filters from file <bpf>
>        -g <gname> Run snort gid as <gname> group (or gid) after 
> initialization
>        -h <hn>    Home network = <hn>
>        -i <if>    Listen on interface <if>
>        -I         Add Interface name to alert output
>        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
>        -l <ld>    Log to directory <ld>
>        -L <file>  Log to this tcpdump file
>        -m <umask> Set umask = <umask>
>        -n <cnt>   Exit after receiving <cnt> packets
>        -N         Turn off logging (alerts still work)
>        -o         Change the rule testing order to Pass|Alert|Log
>        -O         Obfuscate the logged IP addresses
>        -p         Disable promiscuous mode sniffing
>        -P <snap>  Set explicit snaplen of packet (default: 1514)
>        -q         Quiet. Don't show banner and status report
>        -r <tf>    Read and process tcpdump file <tf>
>        -R <id>    Include 'id' in snort_intf<id>.pid file name
>        -s         Log alert messages to syslog
>        -S <n=v>   Set rules file variable n equal to value v
>        -t <dir>   Chroots process to <dir> after initialization
>        -T         Test and report on the current Snort configuration
>        -u <uname> Run snort uid as <uname> user (or uid) after 
> initialization
>        -U         Use UTC for timestamps
>        -v         Be verbose
>        -V         Show version number
>        -w         Dump 802.11 management and control frames
>        -X         Dump the raw packet data starting at the link layer
>        -y         Include year in timestamp in the alert and log files
>        -z         Set assurance mode, match on established sesions 
> (for TCP)
>        -?         Show this information
> <Filter Options> are standard BPF options, as seen in TCPDump
>
>
> Uh, you need to tell me to do something...
>
> : No such file or directory
>
>
>
> Does anyone have any clue how to fix this error?
>
> Thanks in advance,
> Peggy



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users