Snort
mailing list archives
startup error on with blacklist rules
From: Jim Turner <JTurner () hilltopconsultants com>
Date: Mon, 11 Mar 2013 10:11:22 -0400
Hello Everyone,
I got past the problem I reported the other day. However, now I am stuck on a different error processing blacklist and
most likely whitelist rules.
I have attached my snort.conf and the error that I am receiving.
I am running 2.9.4.1 on Windows 7 Pro. I really appreciate your help.
Thanks,
Jim
Attachment:
snort.conf
Description: snort.conf
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22 Frag3 engine config:\par
Bound Address: default\par
Target-based policy: WINDOWS\par
Fragment timeout: 180 seconds\par
Fragment min_ttl: 1\par
Fragment Anomalies: Alert\par
Overlap Limit: 10\par
Min fragment Length: 100\par
Stream5 global config:\par
Track TCP sessions: ACTIVE\par
Max TCP sessions: 262144\par
Memcap (for reassembly packet storage): 8388608\par
Track UDP sessions: ACTIVE\par
Max UDP sessions: 131072\par
Track ICMP sessions: INACTIVE\par
Track IP sessions: INACTIVE\par
Log info if session memory consumption exceeds 1048576\par
Send up to 2 active responses\par
Wait at least 5 seconds between responses\par
Protocol Aware Flushing: ACTIVE\par
Maximum Flush Point: 16000\par
Stream5 TCP Policy config:\par
Bound Address: default\par
Reassembly Policy: WINDOWS\par
Timeout: 180 seconds\par
Limit on TCP Overlaps: 10\par
Maximum number of bytes to queue per session: 1048576\par
Maximum number of segs to queue per session: 2621\par
Options:\par
Require 3-Way Handshake: YES\par
3-Way Handshake Timeout: 180\par
Detect Anomalies: YES\par
Reassembly Ports:\par
21 client (Footprint)\par
22 client (Footprint)\par
23 client (Footprint)\par
25 client (Footprint)\par
42 client (Footprint)\par
53 client (Footprint)\par
79 client (Footprint)\par
80 client (Footprint) server (Footprint)\par
81 client (Footprint) server (Footprint)\par
109 client (Footprint)\par
110 client (Footprint)\par
111 client (Footprint)\par
113 client (Footprint)\par
119 client (Footprint)\par
135 client (Footprint)\par
136 client (Footprint)\par
137 client (Footprint)\par
139 client (Footprint)\par
143 client (Footprint)\par
161 client (Footprint)\par
additional ports configured but not printed.\par
Stream5 UDP Policy config:\par
Timeout: 180 seconds\par
HttpInspect Config:\par
GLOBAL CONFIG\par
Max Pipeline Requests: 0\par
Inspection Type: STATELESS\par
Detect Proxy Usage: NO\par
IIS Unicode Map Filename: c:\\snort\\etc\\unicode.map\par
IIS Unicode Map Codepage: 1252\par
Memcap used for logging URI and Hostname: 150994944\par
Max Gzip Memory: 838860\par
Max Gzip Sessions: 9532\par
Gzip Compress Depth: 65535\par
Gzip Decompress Depth: 65535\par
DEFAULT SERVER CONFIG:\par
Server profile: All\par
Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809\par
3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008\par
8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899\par
9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555\par
Server Flow Depth: 0\par
Client Flow Depth: 0\par
Max Chunk Length: 500000\par
Small Chunk Length Evasion: chunk size <=10,threshold>= 5 times\par
Max Header Field Length: 750\par
Max Number Header Fields: 100\par
Max Number of WhiteSpaces allowed with header folding: 200\par
Inspect Pipeline Requests: YES\par
URI Discovery Strict Mode: NO\par
Allow Proxy Usage: NO\par
Disable Alerting: NO\par
Oversize Dir Length: 500\par
Only inspect URI: NO\par
Normalize HTTP Headers: NO\par
Inspect HTTP Cookies: YES\par
Inspect HTTP Responses: YES\par
Extract Gzip from responses: YES\par
Unlimited decompression of gzip data from responses: YES\par
Normalize Javascripts in HTTP Responses: YES\par
Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP resp\par
onses: 200\par
Normalize HTTP Cookies: NO\par
Enable XFF and True Client IP: NO\par
Log HTTP URI data: NO\par
Log HTTP Hostname data: NO\par
Extended ASCII code support in URI: NO\par
Ascii: YES alert: NO\par
Double Decoding: YES alert: NO\par
%U Encoding: YES alert: YES\par
Bare Byte: YES alert: NO\par
UTF 8: YES alert: NO\par
IIS Unicode: YES alert: NO\par
Multiple Slash: YES alert: NO\par
IIS Backslash: YES alert: NO\par
Directory Traversal: YES alert: NO\par
Web Root Traversal: YES alert: NO\par
Apache WhiteSpace: YES alert: NO\par
IIS Delimiter: YES alert: NO\par
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG\par
Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07\par
Whitespace Characters: 0x09 0x0b 0x0c 0x0d\par
rpc_decode arguments:\par
Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777\par
32778 32779\par
alert_fragments: INACTIVE\par
alert_large_fragments: INACTIVE\par
alert_incomplete: INACTIVE\par
alert_multiple_requests: INACTIVE\par
FTPTelnet Config:\par
GLOBAL CONFIG\par
Inspection Type: stateful\par
Check for Encrypted Traffic: YES alert: NO\par
Continue to check encrypted data: YES\par
TELNET CONFIG:\par
Ports: 23\par
Are You There Threshold: 20\par
Normalize: YES\par
Detect Anomalies: YES\par
FTP CONFIG:\par
FTP Server: default\par
Ports (PAF): 21 2100 3535\par
Check for Telnet Cmds: YES alert: YES\par
Ignore Telnet Cmd Operations: YES alert: YES\par
Identify open data channels: NO\par
FTP Client: default\par
Check for Bounce Attacks: YES alert: YES\par
Check for Telnet Cmds: YES alert: YES\par
Ignore Telnet Cmd Operations: YES alert: YES\par
Max Response Length: 256\par
SMTP Config:\par
Ports: 25 465 587 691\par
Inspection Type: Stateful\par
Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN\par
HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK\par
TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2\par
STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50\par
Ignore Data: No\par
Ignore TLS Data: No\par
Ignore SMTP Alerts: No\par
Max Command Line Length: 512\par
Max Specific Command Line Length:\par
ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255\par
EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255\par
ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500\par
IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246\par
QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246\par
SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246\par
TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246\par
XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246\par
XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246\par
XUSR:246\par
Max Header Line Length: 1000\par
Max Response Line Length: 512\par
X-Link2State Alert: Yes\par
Drop on X-Link2State Alert: No\par
Alert on commands: None\par
Alert on unknown commands: No\par
SMTP Memcap: 838860\par
MIME Max Mem: 838860\par
Base64 Decoding: Enabled\par
Base64 Decoding Depth: Unlimited\par
Quoted-Printable Decoding: Enabled\par
Quoted-Printable Decoding Depth: Unlimited\par
Unix-to-Unix Decoding: Enabled\par
Unix-to-Unix Decoding Depth: Unlimited\par
Non-Encoded MIME attachment Extraction: Enabled\par
Non-Encoded MIME attachment Extraction Depth: Unlimited\par
Log Attachment filename: Enabled\par
Log MAIL FROM Address: Enabled\par
Log RCPT TO Addresses: Enabled\par
Log Email Headers: Enabled\par
Email Hdrs Log Depth: 1464\par
SSH config:\par
Autodetection: ENABLED\par
Challenge-Response Overflow Alert: ENABLED\par
SSH1 CRC32 Alert: ENABLED\par
Server Version String Overflow Alert: ENABLED\par
Protocol Mismatch Alert: ENABLED\par
Bad Message Direction Alert: DISABLED\par
Bad Payload Size Alert: DISABLED\par
Unrecognized Version Alert: DISABLED\par
Max Encrypted Packets: 20\par
Max Server Version String Length: 100\par
MaxClientBytes: 19600 (Default)\par
Ports:\par
22\par
DCE/RPC 2 Preprocessor Configuration\par
Global Configuration\par
DCE/RPC Defragmentation: Enabled\par
Memcap: 102400 KB\par
Events: co\par
SMB Fingerprint policy: Disabled\par
Server Default Configuration\par
Policy: WinXP\par
Detect ports (PAF)\par
SMB: 139 445\par
TCP: 135\par
UDP: 135\par
RPC over HTTP server: 593\par
RPC over HTTP proxy: None\par
Autodetect ports (PAF)\par
SMB: None\par
TCP: 1025-65535\par
UDP: 1025-65535\par
RPC over HTTP server: 1025-65535\par
RPC over HTTP proxy: None\par
Invalid SMB shares: C$ D$ ADMIN$\par
Maximum SMB command chaining: 3 commands\par
DNS config:\par
DNS Client rdata txt Overflow Alert: ACTIVE\par
Obsolete DNS RR Types Alert: INACTIVE\par
Experimental DNS RR Types Alert: INACTIVE\par
Ports: 53\par
SSLPP config:\par
Encrypted packets: not inspected\par
Ports:\par
443 465 563 636 989\par
992 993 994 995 7801\par
7802 7900 7901 7902 7903\par
7904 7905 7906 7907 7908\par
7909 7910 7911 7912 7913\par
7914 7915 7916 7917 7918\par
7919 7920\par
Server side data is trusted\par
Sensitive Data preprocessor config:\par
Global Alert Threshold: 25\par
Masked Output: DISABLED\par
SIP config:\par
Max number of sessions: 40000\par
Max number of dialogs in a session: 4 (Default)\par
Status: ENABLED\par
Ignore media channel: DISABLED\par
Max URI length: 512\par
Max Call ID length: 80\par
Max Request name length: 20 (Default)\par
Max From length: 256 (Default)\par
Max To length: 256 (Default)\par
Max Via length: 1024 (Default)\par
Max Contact length: 512\par
Max Content length: 2048\par
Ports:\par
5060 5061 5600\par
Methods:\par
invite cancel ack bye register options refer subscribe update join inf\par
o message notify benotify do qauth sprack publish service unsubscribe prack\par
IMAP Config:\par
Ports: 143\par
IMAP Memcap: 838860\par
Base64 Decoding: Enabled\par
Base64 Decoding Depth: Unlimited\par
Quoted-Printable Decoding: Enabled\par
Quoted-Printable Decoding Depth: Unlimited\par
Unix-to-Unix Decoding: Enabled\par
Unix-to-Unix Decoding Depth: Unlimited\par
Non-Encoded MIME attachment Extraction: Enabled\par
Non-Encoded MIME attachment Extraction Depth: Unlimited\par
POP Config:\par
Ports: 110\par
POP Memcap: 838860\par
Base64 Decoding: Enabled\par
Base64 Decoding Depth: Unlimited\par
Quoted-Printable Decoding: Enabled\par
Quoted-Printable Decoding Depth: Unlimited\par
Unix-to-Unix Decoding: Enabled\par
Unix-to-Unix Decoding Depth: Unlimited\par
Non-Encoded MIME attachment Extraction: Enabled\par
Non-Encoded MIME attachment Extraction Depth: Unlimited\par
Modbus config:\par
Ports:\par
502\par
DNP3 config:\par
Memcap: 262144\par
Check Link-Layer CRCs: ENABLED\par
Ports:\par
20000\par
Reputation config:\par
WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor dis\par
abled.\par
\par
+++++++++++++++++++++++++++++++++++++++++++++++++++\par
Initializing rule chains...\par
ERROR: c:\\snort\\rules/app-detect.rules(18) Unknown ClassType: web-application-at\par
tack\par
Fatal Error, Quitting..\par
Could not create the registry key.\par
C:\\Snort\\bin>\par
}
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- startup error on with blacklist rules Jim Turner (Mar 11)