Snort 2.8.5.3 does not like default global telnet config??

[Joe Pampel <jpampel () paladyne com>]

Hi,

I upgraded a sensor which was at Snort 2.8.4 to the new version 2.8.5.3
This is on Solaris 10, x86.  I am logging remotely; there is no local mysql etc.
It has been running snort stably for over a year now.

Now when I try to run Snort, it chokes on the global telnet config, but there is nothing wrong with it - it is the 
default.


Version looks fine:
++++++++++++++++++++++++
MY-IDS@/usr/local/bin: snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.3 (Build 124)  i86pc
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.9 2009-04-11
++++++++++++++++++++++++


Trying to run snort leads to this:

+++++++++++
MY-IDS@/usr/local/bin: snort -i e1000g0 -c /usr/local/etc/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
Tagged Packet Limit: 256

........<snip>

Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900
ERROR: /usr/local/etc/snort.conf(397) => Invalid keyword 'encrypted_traffic' for 'global' configuration.
Fatal Error, Quitting..
My-IDS@/usr/local/bin:
+++++++++++++++++

Global telnet config matches the default in 2.8.4.  "encrypted_traffic" was a good keyword and still is from what I 
have read.
Have read docs for 2.8.5.3, have tried disabling this whole piece of config.  Very confused what would cause this. 
Google did not find this error.

Not sure what to do here.  It compiled fine as far as I can tell.
It will run if I skip over the rules file completely, eg:

++++++++
MY-IDS@/usr/local/bin: snort -i e1000g0 -b
Running in packet logging mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Log directory = /var/log/snort
Initializing Network Interface e1000g0
Decoding Ethernet on interface e1000g0

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.3 (Build 124)  i86pc
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.9 2009-04-11

Not Using PCAP_FRAMES
^C*** Caught Int-Signal
Run time prior to being shutdown was 43.183660 seconds
===============================================================================
Packet Wire Totals:
   Received:           73
   Analyzed:           72 (98.630%)
    Dropped:            0 (0.000%)
Outstanding:            1 (1.370%)

+++++++++++++etc.

Thanks for any suggestions you might have.

- Joe

The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, 
or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone 
other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, 
please destroy and/or delete this correspondence and the attachment(s).

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users