Snort mailing list archives
Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include"
From: Agent Smith <news8080 () yahoo com>
Date: Mon, 5 Oct 2009 07:05:22 -0700 (PDT)
If I un-comment all the include statements (classification.config, reference.config and all rules) it works fine so its not the pre-processors. Here is the snort.conf that I use WITH the includes that I want and its broken unless I take out the includes. ====== cut here START var RULE_PATH /etc/snort/rules var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var FTP_SERVERS $HOME_NET var SSH_SERVERS $HOME_NET var POP_SERVERS $HOME_NET var IMAP_SERVERS $HOME_NET var RPC_SERVERS $HOME_NET var WWW_SERVERS $HOME_NET var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2 05.188.179.0/24,205.188.248.0/24] portvar HTTP_PORTS [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999] portvar SHELLCODE_PORTS any portvar ORACLE_PORTS 1024: portvar AUTH_PORTS 113 portvar DNS_PORTS 53 portvar FINGER_PORTS 79 portvar FTP_PORTS 21 portvar IMAP_PORTS 143 portvar IRC_PORTS [6665,6666,6667,6668,6669,7000] portvar MSSQL_PORTS 1433 portvar NNTP_PORTS 119 portvar POP2_PORTS 109 portvar POP3_PORTS 110 portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] portvar RLOGIN_PORTS 513 portvar RSH_PORTS 514 portvar SMB_PORTS [139,445] portvar SMTP_PORTS 25 portvar SNMP_PORTS 161 portvar SSH_PORTS 22 portvar TELNET_PORTS 23 portvar MAIL_PORTS [25,143,465,691] portvar SSL_PORTS [25,443,465,636,993,995] portvar DCERPC_NCACN_IP_TCP [139,445] portvar DCERPC_NCADG_IP_UDP [138,1024:] portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] portvar DCERPC_NCACN_UDP_LONG [135,1024:] portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] portvar DCERPC_NCACN_TCP [2103,2105,2107] portvar DCERPC_BRIGHTSTORE [6503,6504] config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config enable_decode_oversized_alerts config checksum_mode: all config disable_ttcp_alerts config disable_decode_drops config pcre_match_limit: 1500 config pcre_match_limit_recursion: 1500 config detection: search-method ac-bnfa dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows timeout 180 preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \ preprocessor stream5_udp: ignore_any_rules preprocessor http_inspect: global iis_unicode_map unicode.map 1252 server default \ apache_whitespace no \ ascii no \ bare_byte no \ iis_backslash no \ multi_slash no \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ max_client_bytes 19600 \ max_encrypted_packets 20 \ include classification.config include $RULE_PATH/local.rules include $RULE_PATH/scan.rules include $RULE_PATH/web-frontpage.rules ====== cut here END --- On Mon, 10/5/09, Todd Wease <twease () sourcefire com> wrote:
From: Todd Wease <twease () sourcefire com> Subject: Re: [Snort-users] snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" To: "Agent Smith" <news8080 () yahoo com> Cc: snort-users () lists sourceforge net Date: Monday, October 5, 2009, 9:46 AM On 10/05/2009 09:14 AM, Agent Smith wrote:I just installed snort 2.8.5 with the followingconfigure;make ;make install. I didn't modify the default config file and tried to run it and it gave me include errors like listed below. The only thing I changed was RULE_PATH and that's it./configure --enable-dynamicplugin--enable-timestats --enable-ppm --enable-perfprofiling --enable-gre --with-mysql --libdir=/usr/lib64 --with-libdir=lib64 --with-mysql-libraries=/usr/lib64/mysql/var RULE_PATH /etc/snort/rules # snort -i eth3 -c /etc/snort/etc/snort.conf--dynamic-preprocessor-lib-dir /usr/local/lib/snort_dynamicpreprocessor -vvv.. .. .. Portscan Detection Config: Detect Protocols: TCP UDPICMP IPDetect Scan Type: portscanportsweep decoy_portscan distributed_portscanSensitivity Level: Low Memcap (in bytes): 10000000 Number ofNodes: 31347ERROR: Invalid argument: include Fatal Error, Quitting.. Anyone? I don't even know where to look. Its a 64bitcentos 5 install.Can you take a look at your dns and ssh configurations - looks like it might be coming from one of those. If you don't find any problems, can you post your snort.conf or send to me directly? (obfuscate any sensitive information in it first)
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Agent Smith (Oct 05)
- Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Todd Wease (Oct 05)
- Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Agent Smith (Oct 05)
- Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Todd Wease (Oct 05)
- Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Agent Smith (Oct 05)
- Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Agent Smith (Oct 05)
- Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include" Todd Wease (Oct 05)