Snort mailing list archives

Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

From: alexus <alexus () gmail com>
Date: Tue, 16 Aug 2011 11:08:43 -0400

ok, I just did make clean and I'm making it again.. let's see how it
works this time...

On Tue, Aug 16, 2011 at 10:52 AM, Russ Combs <rcombs () sourcefire com> wrote:

Make sure that you do a make clean and then make install after you
reconfigure.

On Tue, Aug 16, 2011 at 10:36 AM, alexus <alexus () gmail com> wrote:


also if I take a snort.conf that came with distro (2.9.0.5)

snort stops on following

Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
/usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
'global' configuration.

when I tried with snort.conf that came with rules I've got same message

Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
/usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
'global' configuration.



On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus () gmail com> wrote:

I have following in my snort.conf (top section)

#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
--enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-zlib --enable-active-response
--enable-normalizer --enable-reload --enable-react --enable-flexresp3

I went ahead and recompile it with all that yet I still get same results

On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler () sourcefire com>
wrote:

Look at the top of the snort.conf file. You should see our recommended
compile options.

Sent from my iPhone
On Aug 15, 2011, at 21:32, alexus <alexus () gmail com> wrote:

Anything specific ?

On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler () sourcefire com> wrote:

Sounds like you may need to take a look at our recommended compile
options
at the top of the snort.conf in the etc/ directory.

Check that out.

Sent from my iPhone

On Aug 15, 2011, at 20:20, alexus <alexus () gmail com> wrote:

ok, done
i dont have ipv6 enabled on my system so you were right as soon as i
changed ipvar to var it went through that
but it complain on something else...

Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
"/usr/local/etc/snort.conf"
Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]: [ 22 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
Aug 16 00:16:41 dd snort[22515]:
Aug 16 00:16:41 dd snort[22515]: Detection:
Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations =
enabled
Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
from /usr/local/lib/snort_dynamicrules...
Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
detection libs from /usr/local/lib/snort_dynamicrules
Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor
libs
from /usr/local/lib/snort_dynamicpreprocessor/...
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library

/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
Aug 16 00:16:41 dd snort[22515]: done
Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
/usr/local/etc/snort.conf(246) => Unknown Stream5 global option
(max_active_responses 2)


# Target-Based stateful inspection/stream reassembly. For more
inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5

for whatever reason(s) now it doesnt like this line:

min_response_seconds 5

or according to syslog line

max_active_responses 2, \



On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty
<wkitty42 () windstream net>
wrote:

On 8/15/2011 17:15, alexus wrote:

line 45 of /usr/local/etc/snort.conf states:

ipvar HOME_NET [64.237.55.65/27]

I dont understand why it's complaining ...


IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in
your
snort
compile, it won't work... use var instead of ipvar...




------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing
Subversion
and
the tools developers use with it. Learn more about uberSVN and get a
free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




--
http://alexus.org/



------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing
Subversion
and
the tools developers use with it. Learn more about uberSVN and get a
free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




--
http://alexus.org/




--
http://alexus.org/


------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




-- 
http://alexus.org/

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar., (continued)
- - - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Gibson, Nathan J. (HSC) (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Joel Esler (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 22)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 17)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 18)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 16)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
    - Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. alexus (Aug 16)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Russ Combs (Aug 15)
- Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar. Eoin Miller (Aug 15)