Snort mailing list archives
Win 32 Snort 1.8.1 Release Problems With the Z Switch
From: "Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>
Date: Thu, 16 Aug 2001 10:29:37 -0700
Hello fellow Snorters, I have been running the static binary Win32 version of Snort 1.8.1 release build 74 from Silicon Defense since yesterday starting at 0300 PM PDT. Snort ran all night and was still running this morning when I returned to work. I have one major problem. If I use the z switch, I receive an immediate DR. Watson error. I have read the users manual twice and cannot figure out what I might be doing wrong. We run three Snort 1.7 systems in production mode and have been running Snort on Windows NT since 1.6 was first ported to Windows. I sure could use your ideas. Here is the system info: P3 933mhz 512mb memory 18gb free hard drive space Windows NT 4.0 SP6 Latest Snort 1.8 Vision rules Winpcap version 2.2 Snort startup from the command line: This command line runs fine. I kept the command line very simple and brief for the test conditions. C:\snort-1.8.1>snort -A fast -c snort.conf Log directory = --== Initializing Snort ==-- Checking PID path... Initializing Network Interface \ Decoding Ethernet on interface \Device\Packet_El90xnd1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time 530 Snort rules read... 530 Option Chains linked into 191 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8-WIN32 (Build 74) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) (based on code from 1.7 port) If I use this command line: C:\snort-1.8.1>snort -A fast -z est -c snort.conf I receive an immediate Dr. Watson error (access violation) and Snort.exe exits. Here is my abbreviated snort.conf # $Id: snort.conf,v 1.62 2001/08/12 04:31:01 roesch Exp $ var HOME_NET xxx.yyy.0.0/16 var EXTERNAL_NET !$HOME_NET var DNS1 xxx.yyy.www.1 var DNS2 xxx.yyy.www.2 preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 5 5 portscan.log preprocessor portscan-ignorehosts: $DNS1 $DNS2 include classification.config include vision.rules I have tried setting diffent options for stream4 with no resolution of the problem. Thank you for your time and help, Brent Erickson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Win 32 Snort 1.8.1 Release Problems With the Z Switch Erickson Brent W KPWA (Aug 16)