Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

From: alexus <alexus () gmail com>
Date: Mon, 22 Aug 2011 19:57:50 -0400
guys, please help

su-3.2# md5 snort-2.9.0.5.tar.gz
MD5 (snort-2.9.0.5.tar.gz) = a7e6f0b013f767d09c99f8f91757e355
su-3.2# grep './configure' config.log
  $ ./configure --enable-ipv6 --enable-gre --enable-mpls
--enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-zlib --enable-active-response
--enable-normalizer --enable-reload --enable-react --enable-flexresp3
su-3.2# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.2.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

su-3.2# md5 snortrules-snapshot-2905.tar.gz
MD5 (snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff
su-3.2# md5 ../snortrules-snapshot-2905.tar.gz
MD5 (../snortrules-snapshot-2905.tar.gz) = 58791cfc8efb4ac278f4c2effea935ff
su-3.2# snort -c /usr/local/etc/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: parser.c(5245) Could not stat dynamic module path
"/usr/local/lib/snort_dynamicrules": No such file or directory.
Fatal Error, Quitting..
su-3.2# ls -dl /usr/local/lib/snort_dynamic*
drwxr-xr-x  2 root  wheel   512 Aug 22 23:50 /usr/local/lib/snort_dynamicengine
drwxr-xr-x  2 root  wheel  1536 Aug 22 23:50
/usr/local/lib/snort_dynamicpreprocessor
su-3.2#

where are those "snort_dynamicrules" comes from?
what am I missing?



On Thu, Aug 18, 2011 at 12:13 PM, alexus <alexus () gmail com> wrote:

I download 2.8.6.1

su-3.2# snort -V

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
  ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2010 Sourcefire, Inc., et al.
          Using PCRE version: 7.8 2008-09-05
          Using ZLIB version: 1.2.3

su-3.2#

download ruleset for 2.8 and same thing... (it CRUSHES!!!)

su-3.2# snort -c /usr/local/etc/snort.conf
Running in IDS mode

       --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
  Search-Method = AC-Full-Q
   Split Any/Any group = enabled
   Search-Method-Optimizations = enabled
   Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
 Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
done
 Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
 Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
 Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
Segmentation fault: 11 (core dumped)
su-3.2#





On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 8/17/2011 11:07, alexus wrote:

it seems like it's failing on part #5 (preprocessors(rpc_decode))


su-3.2# snort -sc /usr/local/etc/snort.conf
Running in IDS mode

         --== Initializing Snort ==--

[TRIM]

rpc_decode arguments:
     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779
     alert_fragments: INACTIVE
     alert_large_fragments: INACTIVE
     alert_incomplete: INACTIVE
     alert_multiple_requests: INACTIVE
Segmentation fault: 11 (core dumped)
su-3.2#


in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line is the loading
of the Portscan Detection Config... it is immediately after the
alert_multiple_requests line... then i have the following sections...

 FTPTelnet Config
 SMTP Config
 SSH Config
 DCE/RPC 2 Preprocessor Configuration
 DNS Configuration
 SSLPP config
 Initializing rule chains...

maybe this helps somewhat?

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!





--
http://alexus.org/





-- 
http://alexus.org/

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: