Snort mailing list archives
Re: Understanding how to debug snort.config
From: Russ <rucombs () cisco com>
Date: Wed, 7 Dec 2016 12:07:39 -0500
It looks like you are missing the trailing \ on the line ahead of decompress_pdf which is part of the preprocessor http_inspect_server configuration. Without that trailing \ Snort thinks decompress_pdf must be the start of a rule.
You can check the Snort user manual for the configuration of the HTTP preprocessor. That option enables detection within certain compressed blobs in PDF files returned by an HTTP server.
On 12/7/16 11:02 AM, Jared F wrote:
Thanks Russ! That was exactly it and deleted the Izma entry on line (325) but ran into another Error on (326) :ERROR: F:\Snort\etc\snort.conf(326) Unknown rule type: decompress_pdf.I promptly commented it out and now the conf file validates but is their a resource that can inform me what this lines initial action was supposed to do? And why I would want it to run? Thanks again and your assistance is much appreciated!------------------------------------------------------------------------ *From:* Russ <rucombs () cisco com> *Sent:* Tuesday, December 6, 2016 6:47 PM *To:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Understanding how to debug snort.configThis looks like the same error others have reported recently. If your lines look like the below you need to remove lzma from decompress_swf or install liblzma. The error message is confusing because there is a bug with the error message itself.Line 325: decompress_swf { deflate lzma } \ Line 326: decompress_pdf { deflate } On 12/6/16 6:48 PM, wkitty42 () windstream net wrote:On 12/06/2016 05:26 PM, Jared F wrote:I thought the (326) meant the line the error was coming from and although there is a bracket there it doesn't look wrong. Where should I start learning how to troubleshoot snort?you are correct... the error was discovered at line 326... look above it to find the actual error... if you post that block, we can probably point the error out to you real quick...
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Understanding how to debug snort.config Jared F (Dec 06)
- Re: Understanding how to debug snort.config wkitty42 (Dec 06)
- Re: Understanding how to debug snort.config Russ (Dec 06)
- Message not available
- Re: Understanding how to debug snort.config Russ (Dec 07)
- Re: Understanding how to debug snort.config Russ (Dec 06)
- Re: Understanding how to debug snort.config Michael Steele (Dec 06)
- Re: Understanding how to debug snort.config wkitty42 (Dec 06)