Snort mailing list archives

Previous By Date Next
Previous By Thread Next

startup error on with blacklist rules

From: Jim Turner <JTurner () hilltopconsultants com>
Date: Mon, 11 Mar 2013 10:11:22 -0400
Hello Everyone,



I got past the problem I reported the other day.  However, now I am stuck on a different error processing blacklist and 
most likely whitelist rules.



I have attached my snort.conf and the error that I am receiving.



I am running 2.9.4.1 on Windows 7 Pro.  I really appreciate your help.



Thanks,



Jim

Attachment: snort.conf
Description: snort.conf

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22 Frag3 engine config:\par Bound Address: default\par Target-based policy: WINDOWS\par Fragment timeout: 180 seconds\par Fragment min_ttl: 1\par Fragment Anomalies: Alert\par Overlap Limit: 10\par Min fragment Length: 100\par Stream5 global config:\par Track TCP sessions: ACTIVE\par Max TCP sessions: 262144\par Memcap (for reassembly packet storage): 8388608\par Track UDP sessions: ACTIVE\par Max UDP sessions: 131072\par Track ICMP sessions: INACTIVE\par Track IP sessions: INACTIVE\par Log info if session memory consumption exceeds 1048576\par Send up to 2 active responses\par Wait at least 5 seconds between responses\par Protocol Aware Flushing: ACTIVE\par Maximum Flush Point: 16000\par Stream5 TCP Policy config:\par Bound Address: default\par Reassembly Policy: WINDOWS\par Timeout: 180 seconds\par Limit on TCP Overlaps: 10\par Maximum number of bytes to queue per session: 1048576\par Maximum number of segs to queue per session: 2621\par Options:\par Require 3-Way Handshake: YES\par 3-Way Handshake Timeout: 180\par Detect Anomalies: YES\par Reassembly Ports:\par 21 client (Footprint)\par 22 client (Footprint)\par 23 client (Footprint)\par 25 client (Footprint)\par 42 client (Footprint)\par 53 client (Footprint)\par 79 client (Footprint)\par 80 client (Footprint) server (Footprint)\par 81 client (Footprint) server (Footprint)\par 109 client (Footprint)\par 110 client (Footprint)\par 111 client (Footprint)\par 113 client (Footprint)\par 119 client (Footprint)\par 135 client (Footprint)\par 136 client (Footprint)\par 137 client (Footprint)\par 139 client (Footprint)\par 143 client (Footprint)\par 161 client (Footprint)\par additional ports configured but not printed.\par Stream5 UDP Policy config:\par Timeout: 180 seconds\par HttpInspect Config:\par GLOBAL CONFIG\par Max Pipeline Requests: 0\par Inspection Type: STATELESS\par Detect Proxy Usage: NO\par IIS Unicode Map Filename: c:\\snort\\etc\\unicode.map\par IIS Unicode Map Codepage: 1252\par Memcap used for logging URI and Hostname: 150994944\par Max Gzip Memory: 838860\par Max Gzip Sessions: 9532\par Gzip Compress Depth: 65535\par Gzip Decompress Depth: 65535\par DEFAULT SERVER CONFIG:\par Server profile: All\par Ports (PAF): 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809\par 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008\par 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899\par 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555\par Server Flow Depth: 0\par Client Flow Depth: 0\par Max Chunk Length: 500000\par Small Chunk Length Evasion: chunk size <=10,threshold>= 5 times\par Max Header Field Length: 750\par Max Number Header Fields: 100\par Max Number of WhiteSpaces allowed with header folding: 200\par Inspect Pipeline Requests: YES\par URI Discovery Strict Mode: NO\par Allow Proxy Usage: NO\par Disable Alerting: NO\par Oversize Dir Length: 500\par Only inspect URI: NO\par Normalize HTTP Headers: NO\par Inspect HTTP Cookies: YES\par Inspect HTTP Responses: YES\par Extract Gzip from responses: YES\par Unlimited decompression of gzip data from responses: YES\par Normalize Javascripts in HTTP Responses: YES\par Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP resp\par onses: 200\par Normalize HTTP Cookies: NO\par Enable XFF and True Client IP: NO\par Log HTTP URI data: NO\par Log HTTP Hostname data: NO\par Extended ASCII code support in URI: NO\par Ascii: YES alert: NO\par Double Decoding: YES alert: NO\par %U Encoding: YES alert: YES\par Bare Byte: YES alert: NO\par UTF 8: YES alert: NO\par IIS Unicode: YES alert: NO\par Multiple Slash: YES alert: NO\par IIS Backslash: YES alert: NO\par Directory Traversal: YES alert: NO\par Web Root Traversal: YES alert: NO\par Apache WhiteSpace: YES alert: NO\par IIS Delimiter: YES alert: NO\par IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG\par Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07\par Whitespace Characters: 0x09 0x0b 0x0c 0x0d\par rpc_decode arguments:\par Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777\par 32778 32779\par alert_fragments: INACTIVE\par alert_large_fragments: INACTIVE\par alert_incomplete: INACTIVE\par alert_multiple_requests: INACTIVE\par FTPTelnet Config:\par GLOBAL CONFIG\par Inspection Type: stateful\par Check for Encrypted Traffic: YES alert: NO\par Continue to check encrypted data: YES\par TELNET CONFIG:\par Ports: 23\par Are You There Threshold: 20\par Normalize: YES\par Detect Anomalies: YES\par FTP CONFIG:\par FTP Server: default\par Ports (PAF): 21 2100 3535\par Check for Telnet Cmds: YES alert: YES\par Ignore Telnet Cmd Operations: YES alert: YES\par Identify open data channels: NO\par FTP Client: default\par Check for Bounce Attacks: YES alert: YES\par Check for Telnet Cmds: YES alert: YES\par Ignore Telnet Cmd Operations: YES alert: YES\par Max Response Length: 256\par SMTP Config:\par Ports: 25 465 587 691\par Inspection Type: Stateful\par Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN\par HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND STARTTLS SOML TICK\par TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR XEXCH50 XGEN XLICENSE X-LINK2\par STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT X-DRCP X-ERCP X-EXCH50\par Ignore Data: No\par Ignore TLS Data: No\par Ignore SMTP Alerts: No\par Max Command Line Length: 512\par Max Specific Command Line Length:\par ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255\par EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255\par ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500\par IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246\par QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246\par SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246\par TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246\par XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246\par XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246\par XUSR:246\par Max Header Line Length: 1000\par Max Response Line Length: 512\par X-Link2State Alert: Yes\par Drop on X-Link2State Alert: No\par Alert on commands: None\par Alert on unknown commands: No\par SMTP Memcap: 838860\par MIME Max Mem: 838860\par Base64 Decoding: Enabled\par Base64 Decoding Depth: Unlimited\par Quoted-Printable Decoding: Enabled\par Quoted-Printable Decoding Depth: Unlimited\par Unix-to-Unix Decoding: Enabled\par Unix-to-Unix Decoding Depth: Unlimited\par Non-Encoded MIME attachment Extraction: Enabled\par Non-Encoded MIME attachment Extraction Depth: Unlimited\par Log Attachment filename: Enabled\par Log MAIL FROM Address: Enabled\par Log RCPT TO Addresses: Enabled\par Log Email Headers: Enabled\par Email Hdrs Log Depth: 1464\par SSH config:\par Autodetection: ENABLED\par Challenge-Response Overflow Alert: ENABLED\par SSH1 CRC32 Alert: ENABLED\par Server Version String Overflow Alert: ENABLED\par Protocol Mismatch Alert: ENABLED\par Bad Message Direction Alert: DISABLED\par Bad Payload Size Alert: DISABLED\par Unrecognized Version Alert: DISABLED\par Max Encrypted Packets: 20\par Max Server Version String Length: 100\par MaxClientBytes: 19600 (Default)\par Ports:\par 22\par DCE/RPC 2 Preprocessor Configuration\par Global Configuration\par DCE/RPC Defragmentation: Enabled\par Memcap: 102400 KB\par Events: co\par SMB Fingerprint policy: Disabled\par Server Default Configuration\par Policy: WinXP\par Detect ports (PAF)\par SMB: 139 445\par TCP: 135\par UDP: 135\par RPC over HTTP server: 593\par RPC over HTTP proxy: None\par Autodetect ports (PAF)\par SMB: None\par TCP: 1025-65535\par UDP: 1025-65535\par RPC over HTTP server: 1025-65535\par RPC over HTTP proxy: None\par Invalid SMB shares: C$ D$ ADMIN$\par Maximum SMB command chaining: 3 commands\par DNS config:\par DNS Client rdata txt Overflow Alert: ACTIVE\par Obsolete DNS RR Types Alert: INACTIVE\par Experimental DNS RR Types Alert: INACTIVE\par Ports: 53\par SSLPP config:\par Encrypted packets: not inspected\par Ports:\par 443 465 563 636 989\par 992 993 994 995 7801\par 7802 7900 7901 7902 7903\par 7904 7905 7906 7907 7908\par 7909 7910 7911 7912 7913\par 7914 7915 7916 7917 7918\par 7919 7920\par Server side data is trusted\par Sensitive Data preprocessor config:\par Global Alert Threshold: 25\par Masked Output: DISABLED\par SIP config:\par Max number of sessions: 40000\par Max number of dialogs in a session: 4 (Default)\par Status: ENABLED\par Ignore media channel: DISABLED\par Max URI length: 512\par Max Call ID length: 80\par Max Request name length: 20 (Default)\par Max From length: 256 (Default)\par Max To length: 256 (Default)\par Max Via length: 1024 (Default)\par Max Contact length: 512\par Max Content length: 2048\par Ports:\par 5060 5061 5600\par Methods:\par invite cancel ack bye register options refer subscribe update join inf\par o message notify benotify do qauth sprack publish service unsubscribe prack\par IMAP Config:\par Ports: 143\par IMAP Memcap: 838860\par Base64 Decoding: Enabled\par Base64 Decoding Depth: Unlimited\par Quoted-Printable Decoding: Enabled\par Quoted-Printable Decoding Depth: Unlimited\par Unix-to-Unix Decoding: Enabled\par Unix-to-Unix Decoding Depth: Unlimited\par Non-Encoded MIME attachment Extraction: Enabled\par Non-Encoded MIME attachment Extraction Depth: Unlimited\par POP Config:\par Ports: 110\par POP Memcap: 838860\par Base64 Decoding: Enabled\par Base64 Decoding Depth: Unlimited\par Quoted-Printable Decoding: Enabled\par Quoted-Printable Decoding Depth: Unlimited\par Unix-to-Unix Decoding: Enabled\par Unix-to-Unix Decoding Depth: Unlimited\par Non-Encoded MIME attachment Extraction: Enabled\par Non-Encoded MIME attachment Extraction Depth: Unlimited\par Modbus config:\par Ports:\par 502\par DNP3 config:\par Memcap: 262144\par Check Link-Layer CRCs: ENABLED\par Ports:\par 20000\par Reputation config:\par WARNING: Can't find any whitelist/blacklist entries. Reputation Preprocessor dis\par abled.\par \par +++++++++++++++++++++++++++++++++++++++++++++++++++\par Initializing rule chains...\par ERROR: c:\\snort\\rules/app-detect.rules(18) Unknown ClassType: web-application-at\par tack\par Fatal Error, Quitting..\par Could not create the registry key.\par C:\\Snort\\bin>\par } 
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: