Snort mailing list archives
Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.
From: alexus <alexus () gmail com>
Date: Mon, 22 Aug 2011 19:57:50 -0400
guys, please help su-3.2# md5 snort-2.9.0.5.tar.gz MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355 su-3.2# grep './configure' config.log $ ./configure --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 su-3.2# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.0.5 IPv6 GRE (Build 135) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.2.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 su-3.2# md5 snortrules-snapshot-2905.tar.gz MD5 (snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff su-3.2# md5 ../snortrules-snapshot-2905.tar.gz MD5 (../snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/usr/local/etc/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80 3128 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 65535 ] PortVar 'FTP_PORTS' defined : [ 20:21 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 ERROR: parser.c(5245) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory. Fatal Error, Quitting.. su-3.2# ls -dl /usr/local/lib/snort_dynamic* drwxr-xr-x 2 root wheel 512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine drwxr-xr-x 2 root wheel 1536 Aug 22 23:50 /usr/local/lib/snort_dynamicpreprocessor su-3.2# where are those "snort_dynamicrules" comes from? what am I missing? On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus () gmail com> wrote:
I download 2.8.6.1 su-3.2# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.6.1 IPv6 GRE (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 su-3.2# download ruleset for 2.8 and same thing... (it CRUSHES!!!) su-3.2# snort -c /usr/local/etc/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/usr/local/etc/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80 3128 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 65535 ] PortVar 'FTP_PORTS' defined : [ 20:21 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Loading dynamic detection library /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so... done Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ Log directory = /var/log/snort Segmentation fault: 11 (core dumped) su-3.2# On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 () windstream net> wrote:On 8/17/2011 11:07, alexus wrote:it seems like it's failing on part #5 (preprocessors(rpc_decode)) su-3.2# snort -sc /usr/local/etc/snort.conf Running in IDS mode --== Initializing Snort ==--[TRIM]rpc_decode arguments: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 alert_fragments: INACTIVE alert_large_fragments: INACTIVE alert_incomplete: INACTIVE alert_multiple_requests: INACTIVE Segmentation fault: 11 (core dumped) su-3.2#in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line is the loading of the Portscan Detection Config... it is immediately after the alert_multiple_requests line... then i have the following sections... FTPTelnet Config SMTP Config SSH Config DCE/RPC 2 Preprocessor Configuration DNS Configuration SSLPP config Initializing rule chains... maybe this helps somewhat? ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- http://alexus.org/
-- http://alexus.org/ ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar., (continued)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 17)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. waldo kitty (Aug 17)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 18)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Gibson, Nathan J. (HSC) (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 17)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 18)