Snort mailing list archives
Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.
From: alexus <alexus () gmail com>
Date: Tue, 16 Aug 2011 11:08:43 -0400
ok, I just did make clean and I'm making it again.. let's see how it works this time... On Tue, Aug 16, 2011 at 10:52 AM, Russ Combs <rcombs () sourcefire com> wrote:
Make sure that you do a make clean and then make install after you reconfigure. On Tue, Aug 16, 2011 at 10:36 AM, alexus <alexus () gmail com> wrote:also if I take a snort.conf that came with distro (2.9.0.5) snort stops on following Aug 16 14:29:00 dd snort[53724]: FATAL ERROR: /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for 'global' configuration. when I tried with snort.conf that came with rules I've got same message Aug 16 14:35:32 dd snort[55489]: FATAL ERROR: /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for 'global' configuration. On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus () gmail com> wrote:I have following in my snort.conf (top section) # OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 I went ahead and recompile it with all that yet I still get same results On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler () sourcefire com> wrote:Look at the top of the snort.conf file. You should see our recommended compile options. Sent from my iPhone On Aug 15, 2011, at 21:32, alexus <alexus () gmail com> wrote: Anything specific ? On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler () sourcefire com> wrote:Sounds like you may need to take a look at our recommended compile options at the top of the snort.conf in the etc/ directory. Check that out. Sent from my iPhone On Aug 15, 2011, at 20:20, alexus <alexus () gmail com> wrote:ok, done i dont have ipv6 enabled on my system so you were right as soon as i changed ipvar to var it went through that but it complain on something else... Aug 16 00:16:41 dd snort[22515]: Running in IDS mode Aug 16 00:16:41 dd snort[22515]: Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==-- Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins! Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors! Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins! Aug 16 00:16:41 dd snort[22515]: Parsing Rules file "/usr/local/etc/snort.conf" Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined : Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ] Aug 16 00:16:41 dd snort[22515]: Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined : Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ] Aug 16 00:16:41 dd snort[22515]: Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined : Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ] Aug 16 00:16:41 dd snort[22515]: Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined : Aug 16 00:16:41 dd snort[22515]: [ 22 ] Aug 16 00:16:41 dd snort[22515]: Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined : Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ] Aug 16 00:16:41 dd snort[22515]: Aug 16 00:16:41 dd snort[22515]: Detection: Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20 Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256 Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... Aug 16 00:16:41 dd snort[22515]: done Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort Aug 16 00:16:41 dd snort[22515]: Frag3 global config: Aug 16 00:16:41 dd snort[22515]: Max frags: 65536 Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes Aug 16 00:16:41 dd snort[22515]: Frag3 engine config: Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1 Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1 Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10 Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100 Aug 16 00:16:41 dd snort[22515]: FATAL ERROR: /usr/local/etc/snort.conf(246) => Unknown Stream5 global option (max_active_responses 2) # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 for whatever reason(s) now it doesnt like this line: min_response_seconds 5 or according to syslog line max_active_responses 2, \ On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42 () windstream net> wrote:On 8/15/2011 17:15, alexus wrote:line 45 of /usr/local/etc/snort.conf states: ipvar HOME_NET [64.237.55.65/27] I dont understand why it's complaining ...IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in your snort compile, it won't work... use var instead of ipvar... ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation-- http://alexus.org/ ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation-- http://alexus.org/-- http://alexus.org/ ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- http://alexus.org/ ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar., (continued)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Gibson, Nathan J. (HSC) (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 17)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 18)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)