Snort 2.1.0 and http_decode issue

["Micah Powell" <micah () wapzoneoz com>]

G'Day,

 

I recently upgraded snort to 2.1.0.  I have had a few dramas but have
finally got it going again (problems with the startup script).

 

One thing I can't figure out though is this.

 

When I try to start it I get this in the log:

 

Jan 10 02:21:04 server01 snort: Initializing daemon mode 

Jan 10 02:21:04 server01 snort: PID path stat checked out ok, PID path set
to /var/run/ 

Jan 10 02:21:04 server01 snort: Writing PID "3558" to file
"/var/run//snort_eth0.pid" 

Jan 10 02:21:04 server01 snort: FATAL ERROR: unknown preprocessor
"\200O^[^H_decode" 

Jan 10 02:21:04 server01 kernel: device eth0 left promiscuous mode

Jan 10 02:21:04 server01 snortd: snort startup succeeded

 

But it doesn't actually start.

 

I went through the preprocessors (with the word 'decode') one by one and
commented them out and it would appear that http_decode is the problem.

 

I downloaded the latest rules (for 2.1.0) and had a look at the snort.conf.
I found that there is no http_decode preprocessor listed. I also had a look
at the snort.conf.rpmnew that was installed as part of the upgrade and it
there was no trace of it there either.

 

Is it still there? Is there something that took its place?

 

Micah

______________________________________________

Anti-Spam: Postfix & SpamAssasin

Anti-Virus: amavis-new and f-Prot

Firewall: ClarkConnect (Linux) firewall (www.clarkconnect.org)

SMTP: Postfix