Snort mailing list archives

Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

From: alexus <alexus () gmail com>
Date: Thu, 18 Aug 2011 11:45:24 -0400

I commented this out

##preprocessor stream5_global: track_tcp yes, \
##   track_udp yes, \
##   track_icmp no, \
##   max_tcp 262144, \
##   max_udp 131072, \
##   max_active_responses 2, \
##   min_response_seconds 5

and this

##preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779 no_alert_multiple_requests
no_alert_large_fragments no_alert_incomplete


to get to this:

su-3.2# snort -sc /usr/local/etc/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
  Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
done
  Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
normalizations disabled because not inlineWARNING: icmp4
normalizations disabled because not inlineWARNING: ip6 normalizations
disabled because not inlineWARNING: icmp6 normalizations disabled
because not inlineFrag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment Problems: 1
    Overlap Limit:     10
    Min fragment Length:     100
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
    Send up to 0 active responses
Stream5 TCP Policy config:
    Reassembly Policy: WINDOWS
    Timeout: 180 seconds
    Limit on TCP Overlaps: 10
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Require 3-Way Handshake: YES
        3-Way Handshake Timeout: 180
        Detect Anomalies: YES
    Reassembly Ports:
      21 client (Footprint)
      22 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      79 client (Footprint)
      80 client (Footprint) server (Footprint)
      81 client (Footprint) server (Footprint)
      109 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      113 client (Footprint)
      119 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      161 client (Footprint)
Stream5 UDP Policy config:
    Timeout: 180 seconds
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /usr/local/etc/unicode.map
      IIS Unicode Map Codepage: 1252
      Max Gzip Memory: 838860
      Max Gzip Sessions: 6
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
8243 8280 8888 9090 9091 9443 9999 11371
      Server Flow Depth: 0
      Client Flow Depth: 0
      Max Chunk Length: 500000
      Max Header Field Length: 750
      Max Number Header Fields: 100
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: YES
      Inspect HTTP Responses: YES
      Extract Gzip from responses: YES
      Unlimited decompression of gzip data from responses: YES
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: NO
      Extended ASCII code support in URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      Base36: OFF
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Segmentation fault: 11 (core dumped)
su-3.2#

I dont understand how those rules being released if they have so many
issues... or is it just me?



On Wed, Aug 17, 2011 at 1:28 PM, Russ Combs <rcombs () sourcefire com> wrote:

Looks like you are going to have to comment stuff out to isolate the issue
by trial and error.  Suggest you start by commenting out all rule includes
and then rpc_decode.  If it turns out to be related to an so rule or dynamic
preprocessor, delete the offending so and install again.  Let us know what
happens.

On Wed, Aug 17, 2011 at 11:07 AM, alexus <alexus () gmail com> wrote:


here is a last few lines in my snort.conf

###################################################
# Step #9: Customize your Shared Object Snort Rules
# For more information, see

http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
###################################################

# dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/chat.rules
# include $SO_RULE_PATH/dos.rules
# include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/icmp.rules
# include $SO_RULE_PATH/imap.rules
# include $SO_RULE_PATH/misc.rules
# include $SO_RULE_PATH/multimedia.rules
# include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
# include $SO_RULE_PATH/pop3.rules
# include $SO_RULE_PATH/p2p.rules
# include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/snmp.rules
# include $SO_RULE_PATH/specific-threats.rules
# include $SO_RULE_PATH/sql.rules
# include $SO_RULE_PATH/web-activex.rules
# include $SO_RULE_PATH/web-client.rules
# include $SO_RULE_PATH/web-iis.rules
# include $SO_RULE_PATH/web-misc.rules

# Event thresholding or suppression commands. See threshold.conf
include threshold.conf

I did not commented it out, it came like this (I did not changed that
part)

it seems like it's failing on part #5 (preprocessors(rpc_decode))


su-3.2# snort -sc /usr/local/etc/snort.conf
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
  Search-Method = AC-Full-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
   Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
 Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
done
 Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
 Loading dynamic preprocessor library

/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
 Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp
normalizations disabled because not inlineWARNING: icmp4
normalizations disabled because not inlineWARNING: ip6 normalizations
disabled because not inlineWARNING: icmp6 normalizations disabled
because not inlineFrag3 global config:
   Max frags: 65536
   Fragment memory cap: 4194304 bytes
Frag3 engine config:
   Target-based policy: WINDOWS
   Fragment timeout: 180 seconds
   Fragment min_ttl:   1
   Fragment Problems: 1
   Overlap Limit:     10
   Min fragment Length:     100
Stream5 global config:
   Track TCP sessions: ACTIVE
   Max TCP sessions: 8192
   Memcap (for reassembly packet storage): 8388608
   Track UDP sessions: INACTIVE
   Track ICMP sessions: INACTIVE
   Log info if session memory consumption exceeds 1048576
   Send up to 0 active responses
Stream5 TCP Policy config:
   Reassembly Policy: WINDOWS
   Timeout: 180 seconds
   Limit on TCP Overlaps: 10
   Maximum number of bytes to queue per session: 1048576
   Maximum number of segs to queue per session: 2621
   Options:
       Require 3-Way Handshake: YES
       3-Way Handshake Timeout: 180
       Detect Anomalies: YES
   Reassembly Ports:
     21 client (Footprint)
     22 client (Footprint)
     23 client (Footprint)
     25 client (Footprint)
     42 client (Footprint)
     53 client (Footprint)
     79 client (Footprint)
     80 client (Footprint) server (Footprint)
     81 client (Footprint) server (Footprint)
     109 client (Footprint)
     110 client (Footprint)
     111 client (Footprint)
     113 client (Footprint)
     119 client (Footprint)
     135 client (Footprint)
     136 client (Footprint)
     137 client (Footprint)
     139 client (Footprint)
     143 client (Footprint)
     161 client (Footprint)
Stream5 UDP Policy config:
   Timeout: 180 seconds
HttpInspect Config:
   GLOBAL CONFIG
     Max Pipeline Requests:    0
     Inspection Type:          STATELESS
     Detect Proxy Usage:       NO
     IIS Unicode Map Filename: /usr/local/etc/unicode.map
     IIS Unicode Map Codepage: 1252
     Max Gzip Memory: 838860
     Max Gzip Sessions: 6
     Gzip Compress Depth: 65535
     Gzip Decompress Depth: 65535
   DEFAULT SERVER CONFIG:
     Server profile: All
     Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
8243 8280 8888 9090 9091 9443 9999 11371
     Server Flow Depth: 0
     Client Flow Depth: 0
     Max Chunk Length: 500000
     Max Header Field Length: 750
     Max Number Header Fields: 100
     Inspect Pipeline Requests: YES
     URI Discovery Strict Mode: NO
     Allow Proxy Usage: NO
     Disable Alerting: NO
     Oversize Dir Length: 500
     Only inspect URI: NO
     Normalize HTTP Headers: NO
     Inspect HTTP Cookies: YES
     Inspect HTTP Responses: YES
     Extract Gzip from responses: YES
     Unlimited decompression of gzip data from responses: YES
     Normalize HTTP Cookies: NO
     Enable XFF and True Client IP: NO
     Extended ASCII code support in URI: NO
     Ascii: YES alert: NO
     Double Decoding: YES alert: NO
     %U Encoding: YES alert: YES
     Bare Byte: YES alert: NO
     Base36: OFF
     UTF 8: YES alert: NO
     IIS Unicode: YES alert: NO
     Multiple Slash: YES alert: NO
     IIS Backslash: YES alert: NO
     Directory Traversal: YES alert: NO
     Web Root Traversal: YES alert: NO
     Apache WhiteSpace: YES alert: NO
     IIS Delimiter: YES alert: NO
     IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
     Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
     Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
   Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779
   alert_fragments: INACTIVE
   alert_large_fragments: INACTIVE
   alert_incomplete: INACTIVE
   alert_multiple_requests: INACTIVE
Segmentation fault: 11 (core dumped)
su-3.2#
On Tue, Aug 16, 2011 at 6:43 PM, Joel Esler <jesler () sourcefire com> wrote:

Try not using the Shared Object rules, see if Snort starts.

J

On Aug 16, 2011, at 6:41 PM, alexus wrote:

su-3.2# file /usr/local/bin/snort
/usr/local/bin/snort: ELF 64-bit LSB executable, x86-64, version 1
(FreeBSD), for FreeBSD 7.4, dynamically linked (uses shared libs),
FreeBSD-style, not stripped
su-3.2# uname -a
FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
17:48:16 UTC 2011
alexus () dd alexus org:/usr/obj/usr/src/sys/GENERIC  amd64
su-3.2#

once again snort itself works its rules that makes it crash right
away, if i dont use that snort.conf snort runs by itself no problem

On Tue, Aug 16, 2011 at 5:41 PM, Joel Esler <jesler () sourcefire com>
wrote:

Are you using 32 bit SO rules on a 64 bit platform?  Or Vice versa?

Joel

On Aug 16, 2011, at 5:02 PM, alexus wrote:

file came from snortrules that I pulled yesterday, plus I've made
small modifications for HOMENET and some ports that applys for my
system

my system is:

FreeBSD dd.alexus.org 7.4-RELEASE FreeBSD 7.4-RELEASE #0: Sun Mar 20
17:48:16 UTC 2011
alexus () dd alexus org:/usr/obj/usr/src/sys/GENERIC  amd64

snort.conf is attached


On Tue, Aug 16, 2011 at 4:59 PM, Joel Esler <jesler () sourcefire com>
wrote:

Can you provide your snort.conf file and OS version for us?

Joel

On Aug 16, 2011, at 4:50 PM, alexus wrote:

so should I be using another set of rules? to get this thing going?

On Tue, Aug 16, 2011 at 11:50 AM, alexus <alexus () gmail com> wrote:

if that's helpful

su-3.2# snort -c /usr/local/etc/snort.conf
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414
1830
2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
8088
8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
Detection:
  Search-Method = AC-Full-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
   Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
 Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
done
 Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
 Loading dynamic preprocessor library

/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
done
 Loading dynamic preprocessor library

/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
done
 Loading dynamic preprocessor library

/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
done
 Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inlineWARNING:
tcp
normalizations disabled because not inlineWARNING: icmp4
normalizations disabled because not inlineWARNING: ip6
normalizations
disabled because not inlineWARNING: icmp6 normalizations disabled
because not inlineFrag3 global config:
   Max frags: 65536
   Fragment memory cap: 4194304 bytes
Frag3 engine config:
   Target-based policy: WINDOWS
   Fragment timeout: 180 seconds
   Fragment min_ttl:   1
   Fragment Problems: 1
   Overlap Limit:     10
   Min fragment Length:     100
Stream5 global config:
   Track TCP sessions: ACTIVE
   Max TCP sessions: 8192
   Memcap (for reassembly packet storage): 8388608
   Track UDP sessions: INACTIVE
   Track ICMP sessions: INACTIVE
   Log info if session memory consumption exceeds 1048576
   Send up to 0 active responses
Stream5 TCP Policy config:
   Reassembly Policy: WINDOWS
   Timeout: 180 seconds
   Limit on TCP Overlaps: 10
   Maximum number of bytes to queue per session: 1048576
   Maximum number of segs to queue per session: 2621
   Options:
       Require 3-Way Handshake: YES
       3-Way Handshake Timeout: 180
       Detect Anomalies: YES
   Reassembly Ports:
     21 client (Footprint)
     22 client (Footprint)
     23 client (Footprint)
     25 client (Footprint)
     42 client (Footprint)
     53 client (Footprint)
     79 client (Footprint)
     80 client (Footprint) server (Footprint)
     81 client (Footprint) server (Footprint)
     109 client (Footprint)
     110 client (Footprint)
     111 client (Footprint)
     113 client (Footprint)
     119 client (Footprint)
     135 client (Footprint)
     136 client (Footprint)
     137 client (Footprint)
     139 client (Footprint)
     143 client (Footprint)
     161 client (Footprint)
Stream5 UDP Policy config:
   Timeout: 180 seconds
HttpInspect Config:
   GLOBAL CONFIG
     Max Pipeline Requests:    0
     Inspection Type:          STATELESS
     Detect Proxy Usage:       NO
     IIS Unicode Map Filename: /usr/local/etc/unicode.map
     IIS Unicode Map Codepage: 1252
     Max Gzip Memory: 838860
     Max Gzip Sessions: 6
     Gzip Compress Depth: 65535
     Gzip Decompress Depth: 65535
   DEFAULT SERVER CONFIG:
     Server profile: All
     Ports: 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809
3128
3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180
8181
8243 8280 8888 9090 9091 9443 9999 11371
     Server Flow Depth: 0
     Client Flow Depth: 0
     Max Chunk Length: 500000
     Max Header Field Length: 750
     Max Number Header Fields: 100
     Inspect Pipeline Requests: YES
     URI Discovery Strict Mode: NO
     Allow Proxy Usage: NO
     Disable Alerting: NO
     Oversize Dir Length: 500
     Only inspect URI: NO
     Normalize HTTP Headers: NO
     Inspect HTTP Cookies: YES
     Inspect HTTP Responses: YES
     Extract Gzip from responses: YES
     Unlimited decompression of gzip data from responses: YES
     Normalize HTTP Cookies: NO
     Enable XFF and True Client IP: NO
     Extended ASCII code support in URI: NO
     Ascii: YES alert: NO
     Double Decoding: YES alert: NO
     %U Encoding: YES alert: YES
     Bare Byte: YES alert: NO
     Base36: OFF
     UTF 8: YES alert: NO
     IIS Unicode: YES alert: NO
     Multiple Slash: YES alert: NO
     IIS Backslash: YES alert: NO
     Directory Traversal: YES alert: NO
     Web Root Traversal: YES alert: NO
     Apache WhiteSpace: YES alert: NO
     IIS Delimiter: YES alert: NO
     IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
     Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05
0x06 0x07
     Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
   Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779
   alert_fragments: INACTIVE
   alert_large_fragments: INACTIVE
   alert_incomplete: INACTIVE
   alert_multiple_requests: INACTIVE
Segmentation fault: 11 (core dumped)
su-3.2#


On Tue, Aug 16, 2011 at 11:46 AM, alexus <alexus () gmail com> wrote:

sorry pressed send before completing email...

so i recompiled it with --enable-debug how do you want me to
re-run it?

I think some rules screwing it up, because when I run it as snort
-Ds
it runs by itself...

On Tue, Aug 16, 2011 at 11:41 AM, alexus <alexus () gmail com>
wrote:

yes it happened right on the start up...

this is me doing uninstall...

su-3.2# make uninstall
Making uninstall in src
Making uninstall in sfutil
Making uninstall in win32
Making uninstall in output-plugins
Making uninstall in detection-plugins
Making uninstall in dynamic-plugins
Making uninstall in sf_engine
Making uninstall in examples
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicengine/libsf_engine.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicengine/libsf_engine.la
/usr/local/lib/snort_dynamicengine/libsf_engine.so.0
/usr/local/lib/snort_dynamicengine/libsf_engine.so
/usr/local/lib/snort_dynamicengine/libsf_engine.so
Making uninstall in sf_preproc_example
Making uninstall in preprocessors
Making uninstall in HttpInspect
Making uninstall in include
Making uninstall in utils
Making uninstall in user_interface
Making uninstall in session_inspection
Making uninstall in mode_inspection
Making uninstall in anomaly_detection
Making uninstall in event_output
Making uninstall in server
Making uninstall in client
Making uninstall in normalization
Making uninstall in Stream5
Making uninstall in parser
Making uninstall in dynamic-preprocessors
Making uninstall in libs
Making uninstall in ftptelnet
 /bin/sh ../../../libtool   --mode=uninstall rm -f

'/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la'
libtool: uninstall: rm -f

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
Making uninstall in smtp
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
Making uninstall in ssh
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
Making uninstall in dns
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
Making uninstall in ssl
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
Making uninstall in dcerpc2
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
Making uninstall in sdf
 /bin/sh ../../../libtool   --mode=uninstall rm -f
'/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la'
libtool: uninstall: rm -f
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
/usr/local/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
-f: not found
*** Error code 127

Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
*** Error code 1

Stop in /usr/local/src/snort-2.9.0.5/src/dynamic-preprocessors.
*** Error code 1

Stop in /usr/local/src/snort-2.9.0.5/src.
*** Error code 1

Stop in /usr/local/src/snort-2.9.0.5.
su-3.2#

and after re-making it, I'm getting same Segmentation fault: 11
(core dumped)

On Tue, Aug 16, 2011 at 11:23 AM, Russ Combs
<rcombs () sourcefire com> wrote:

Is that happening on start up?  Might try make uninstall and
then make
install.  If it still happens, then make clean, ./configure
with prior
options plus --enable-debug and rerun in the debugger and send
a backtrace.

You can check here for more information on that:

http://www.snort.org/snort-downloads/submit-a-bug

and as that says, in the doc/BUGS file in the source tree.

On Tue, Aug 16, 2011 at 11:07 AM, alexus <alexus () gmail com>
wrote:


I took from begging of snort.conf

--enable-ipv6 --enable-gre --enable-mpls --enable-targetbased
--enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-zlib --enable-active-response
--enable-normalizer --enable-reload --enable-react
--enable-flexresp3

and I recompiled my snort with all these options, which
includes zlib

On Tue, Aug 16, 2011 at 10:48 AM, JJC <cummingsj () gmail com>
wrote:

you need to build snort with --enable-zlib for that one

On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus () gmail com>
wrote:


also if I take a snort.conf that came with distro (2.9.0.5)

snort stops on following

Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
/usr/local/etc/snort.conf(212) => Invalid keyword
'compress_depth' for
'global' configuration.

when I tried with snort.conf that came with rules I've got
same message

Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
/usr/local/etc/snort.conf(265) => Invalid keyword
'compress_depth' for
'global' configuration.



On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus () gmail com>
wrote:

I have following in my snort.conf (top section)

#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
--enable-targetbased --enable-decoder-preprocessor-rules
--enable-ppm
--enable-perfprofiling --enable-zlib
--enable-active-response
--enable-normalizer --enable-reload --enable-react
--enable-flexresp3

I went ahead and recompile it with all that yet I still get
same
results

On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler
<jesler () sourcefire com>
wrote:

Look at the top of the snort.conf file. You should see our
recommended
compile options.

Sent from my iPhone
On Aug 15, 2011, at 21:32, alexus <alexus () gmail com>
wrote:

Anything specific ?

On Aug 15, 2011 8:59 PM, "Joel Esler"
<jesler () sourcefire com> wrote:

Sounds like you may need to take a look at our
recommended compile
options
at the top of the snort.conf in the etc/ directory.

Check that out.

Sent from my iPhone

On Aug 15, 2011, at 20:20, alexus <alexus () gmail com>
wrote:

ok, done
i dont have ipv6 enabled on my system so you were right
as soon as
i
changed ipvar to var it went through that
but it complain on something else...

Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort
==--
Aug 16 00:16:41 dd snort[22515]: Initializing Output
Plugins!
Aug 16 00:16:41 dd snort[22515]: Initializing
Preprocessors!
Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
"/usr/local/etc/snort.conf"
Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS'
defined :
Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901
1220 1414
1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000
8008 8028
8080
8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443
9999 11371
]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar
'SHELLCODE_PORTS' defined
:
Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS'
defined :
Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS'
defined :
Aug 16 00:16:41 dd snort[22515]: [ 22 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS'
defined :
Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: Detection:
Aug 16 00:16:41 dd snort[22515]: Search-Method =
AC-Full-Q
Aug 16 00:16:41 dd snort[22515]: Split Any/Any group =
enabled
Aug 16 00:16:41 dd snort[22515]:
Search-Method-Optimizations =
enabled
Aug 16 00:16:41 dd snort[22515]: Maximum pattern length
= 20
Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit:
256
Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading all dynamic
detection
libs
from /usr/local/lib/snort_dynamicrules...
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
detection library

/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Finished Loading all
dynamic
detection libs from /usr/local/lib/snort_dynamicrules
Aug 16 00:16:41 dd snort[22515]: Loading all dynamic
preprocessor
libs
from /usr/local/lib/snort_dynamicpreprocessor/...
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library



/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library


/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library



/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic
preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Finished Loading all
dynamic
preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Aug 16 00:16:41 dd snort[22515]: Log directory =
/var/log/snort
Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
Aug 16 00:16:41 dd snort[22515]: Fragment memory cap:
4194304
bytes
Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
Aug 16 00:16:41 dd snort[22515]: Target-based policy:
WINDOWS
Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180
seconds
Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
Aug 16 00:16:41 dd snort[22515]: Min fragment Length:
100
Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
/usr/local/etc/snort.conf(246) => Unknown Stream5 global
option
(max_active_responses 2)


# Target-Based stateful inspection/stream reassembly.
For more
inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5

for whatever reason(s) now it doesnt like this line:

min_response_seconds 5

or according to syslog line

max_active_responses 2, \



On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
<wkitty42 () windstream net>
wrote:

On 8/15/2011 17:15, alexus wrote:

line 45 of /usr/local/etc/snort.conf states:

ipvar HOME_NET [64.237.55.65/27]

I dont understand why it's complaining ...


IIRC, ipvar is for IPv6 stuff... if you do not have
IPv6 enabled
in
your
snort
compile, it won't work... use var instead of ipvar...






------------------------------------------------------------------------------
uberSVN's rich system and user administration
capabilities and
model
configuration take the hassle out of deploying and
managing
Subversion
and
the tools developers use with it. Learn more about
uberSVN and
get a
free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




--
http://alexus.org/





------------------------------------------------------------------------------
uberSVN's rich system and user administration
capabilities and
model
configuration take the hassle out of deploying and
managing
Subversion
and
the tools developers use with it. Learn more about
uberSVN and get
a
free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




--
http://alexus.org/




--
http://alexus.org/




------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities
and model
configuration take the hassle out of deploying and managing
Subversion
and
the tools developers use with it. Learn more about uberSVN
and get a
free
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all
the latest
Snort
news!




--
http://alexus.org/



------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and
model
configuration take the hassle out of deploying and managing
Subversion and
the tools developers use with it. Learn more about uberSVN and
get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort
news!




--
http://alexus.org/




--
http://alexus.org/




--
http://alexus.org/




--
http://alexus.org/


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort news!




--
http://alexus.org/
<snort.conf>




--
http://alexus.org/




--
http://alexus.org/


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




-- 
http://alexus.org/

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar., (continued)
- - - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Gibson, Nathan J. (HSC) (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 17)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 18)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 16)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 15)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Eoin Miller (Aug 15)