Snort mailing list archives
Re: community.rules file - failure error during restart or start of snort
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 30 Apr 2014 20:03:38 +0000
http://blog.snort.org/2012/01/portvar-lookup-failed-on-filedataports.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Apr 30, 2014, at 3:47 PM, Farnsworth, Robert <robert.farnsworth () hp com> wrote: Here’s an more updated /var/adm/messages with the line enabled. Hope this helps. Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Frag3 statistics: Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Total Fragments: 7058 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Frags Reassembled: 1850 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Discards: 3198 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Memory Faults: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Timeouts: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Overlaps: 1599 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Anomalies: 1599 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Alerts: 1599 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Drops: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] FragTrackers Added: 3239 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] FragTrackers Dumped: 3239 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] FragTrackers Auto Freed: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Frag Nodes Inserted: 5459 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Frag Nodes Deleted: 5459 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] =============================================================================== Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Stream5 statistics: Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Total sessions: 47790 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP sessions: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP sessions: 47790 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ICMP sessions: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] IP sessions: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Prunes: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP Prunes: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] ICMP Prunes: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] IP Prunes: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP StreamTrackers Created: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP StreamTrackers Deleted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Timeouts: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Overlaps: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Segments Queued: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Segments Released: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Rebuilt Packets: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Segments Used: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Discards: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Gaps: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP Sessions Created: 47790 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP Sessions Deleted: 47790 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP Timeouts: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP Discards: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Events: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Internal Events: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] TCP Port Filter Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Dropped: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Inspected: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Tracked: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] UDP Port Filter Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Dropped: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Inspected: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Tracked: 47790 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] =============================================================================== Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP Inspect - encodings (Note: stream-reassembled packets included): Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] POST methods: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] GET methods: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP Request Headers extracted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP Request Cookies extracted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Post parameters extracted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP response Headers extracted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP Response Cookies extracted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Unicode: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Double unicode: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Non-ASCII representable: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Directory traversals: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Extra slashes ("//"): 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Self-referencing paths ("./"): 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] HTTP Response Gzip packets extracted: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Gzip Compressed Data Processed: n/a Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Gzip Decompressed Data Processed: n/a Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Total packets processed: 8666800 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] =============================================================================== Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] SMTP Preprocessor Statistics Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Total sessions : 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Max concurrent sessions : 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] =============================================================================== Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] dcerpc2 Preprocessor Statistics Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Total sessions: 0 Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] =============================================================================== Apr 30 15:45:26 serverx last message repeated 1 time Apr 30 15:45:26 serverx snort[23008]: [ID 702911 daemon.notice] Snort exiting Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2321) GID 1 SID 21255 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2322) GID 1 SID 21256 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2326) GID 1 SID 21327 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2332) GID 1 SID 21475 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2386) GID 1 SID 24034 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2399) GID 1 SID 25119 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2434) GID 1 SID 25946 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2448) GID 1 SID 26265 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2465) GID 1 SID 26399 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2466) GID 1 SID 26400 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2467) GID 1 SID 26401 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2468) GID 1 SID 26402 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2469) GID 1 SID 26403 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2470) GID 1 SID 26404 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2471) GID 1 SID 26405 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2472) GID 1 SID 26406 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2473) GID 1 SID 26407 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2474) GID 1 SID 26408 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 702911 daemon.notice] WARNING: ../rules/community.rules(2475) GID 1 SID 26409 in rule duplicates previous rule. Ignoring old rule. Apr 30 15:45:27 serverx snort[29457]: [ID 379120 daemon.error] FATAL ERROR: ../rules/community.rules(2488) ***PortVar Lookup failed on '$FILE_DATA_PORTS'. 167 serverx /usr/local/snort/etc$ From: Michael Brown [mailto:mike.a.brown09 () gmail com] Sent: Wednesday, April 30, 2014 3:45 PM To: Farnsworth, Robert Cc: Joel Esler (jesler); snort-users () lists sourceforge net; waldo kitty Subject: Re: [Snort-users] community.rules file - failure error during restart or start of snort Can you give us the same output when you have that line enabled? --- Thank you, Michael A. Brown mike.a.brown09 () gmail com<mailto:mike.a.brown09 () gmail com> (757) 912-0836 M.S. Forensic Studies: Computer Forensics B.S. Information Technology: Network Specialist "The only thing necessary for the triumph of evil is for good men to do nothing" -Edmund Burke On Wed, Apr 30, 2014 at 3:37 PM, Farnsworth, Robert <robert.farnsworth () hp com<mailto:robert.farnsworth () hp com>> wrote: LOL, that was after removing the community.rules entry from the snort.conf So yes it does start after removing or commenting out the $RULE_PATH/community.rules But does not start with the entry included in the file, hence the reason I am e-mailing this community. From: Joel Esler (jesler) [mailto:jesler () cisco com<mailto:jesler () cisco com>] Sent: Wednesday, April 30, 2014 3:33 PM To: Farnsworth, Robert Cc: waldo kitty; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] community.rules file - failure error during restart or start of snort On Apr 30, 2014, at 3:21 PM, Farnsworth, Robert <robert.farnsworth () hp com<mailto:robert.farnsworth () hp com>> wrote: Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Commencing packet processing (pid=23008) Looks like it started to me. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: community.rules file - failure error during restart or start of snort, (continued)
- Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
- Re: community.rules file - failure error during restart or start of snort waldo kitty (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (May 01)
- Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Russ Combs (rucombs) (Apr 30)