Snort mailing list archives
Re: snort-2.1.0 upgrade error
From: Peggy Kam <ppkam () n-dsi com>
Date: Thu, 05 Feb 2004 14:28:17 -0500
Nevermind, I fixed my problems. Peggy Kam wrote:
Hi,I am currently having trouble upgrading from snort-2.0.4 to snort-2.1.0. I am not able to start snort and I get the following error in the syslog:Feb 5 13:40:21 ndsapp su(pam_unix)[31698]: session opened for user root by koadmin(uid=500)Feb 5 13:40:36 ndsapp snort: Initializing daemon modeFeb 5 13:40:36 ndsapp snort: PID path stat checked out ok, PID path set to /var/run/ Feb 5 13:40:36 ndsapp snort: Writing PID "31746" to file "/var/run//snort_eth1.pid" Feb 5 13:40:36 ndsapp snort: FATAL ERROR: /prod/etc/snort/snort.conf(285) => Invalid file name for IIS Unicode Map file.And when I run snort without -D flag, I get: Starting Intrusion Database System: SNORT Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth1 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /prod/etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433ERROR: /prod/etc/snort/snort.conf(285) => Invalid file name for IIS Unicode Map file.Fatal Error, Quitting.. I have already updated my config files and the rulesets. When I try /prod/bin/snort -V: I get -*> Snort! <*- Version 2.1.0 (Build 9) By Martin Roesch (roesch () sourcefire com, www.snort.org) When I try /prod/bin/snort -T: I get: -*> Snort! <*- Version 2.1.0 (Build 9) By Martin Roesch (roesch () sourcefire com, www.snort.org) USAGE: /prod/bin/snort [-options] <filter options> Options:-A Set alert mode: fast, full, console, or none (alert file alerts only)"unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) -c <rules> Use Rules File <rules> -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -f Turn off fflush() calls after binary log writes -F <bpf> Read BPF filters from file <bpf>-g <gname> Run snort gid as <gname> group (or gid) after initialization-h <hn> Home network = <hn> -i <if> Listen on interface <if> -I Add Interface name to alert output -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none) -l <ld> Log to directory <ld> -L <file> Log to this tcpdump file -m <umask> Set umask = <umask> -n <cnt> Exit after receiving <cnt> packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass|Alert|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P <snap> Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r <tf> Read and process tcpdump file <tf> -R <id> Include 'id' in snort_intf<id>.pid file name -s Log alert messages to syslog -S <n=v> Set rules file variable n equal to value v -t <dir> Chroots process to <dir> after initialization -T Test and report on the current Snort configuration-u <uname> Run snort uid as <uname> user (or uid) after initialization-U Use UTC for timestamps -v Be verbose -V Show version number -w Dump 802.11 management and control frames -X Dump the raw packet data starting at the link layer -y Include year in timestamp in the alert and log files-z Set assurance mode, match on established sesions (for TCP)-? Show this information <Filter Options> are standard BPF options, as seen in TCPDump Uh, you need to tell me to do something... : No such file or directory Does anyone have any clue how to fix this error? Thanks in advance, Peggy
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- syslog messages Henri Chevallier (Feb 05)
- RE: syslog messages Erik Mintz (Feb 05)
- snort-2.1.0 upgrade error Peggy Kam (Feb 05)
- Re: snort-2.1.0 upgrade error Jeremy Hewlett (Feb 05)
- Re: snort-2.1.0 upgrade error Peggy Kam (Feb 05)
- snort-2.1.0 upgrade error Peggy Kam (Feb 05)
- <Possible follow-ups>
- RE: syslog messages Nick Duda (Feb 05)
- RE: syslog messages Erik Mintz (Feb 05)