Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

From: alexus <alexus () gmail com>
Date: Thu, 18 Aug 2011 12:13:53 -0400
I download 2.8.6.1

su-3.2# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 IPv6 GRE (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

su-3.2#

download ruleset for 2.8 and same thing... (it CRUSHES!!!)

su-3.2# snort -c /usr/local/etc/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 3128 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 65535 ]
PortVar 'FTP_PORTS' defined :  [ 20:21 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
  Loading dynamic detection library
/usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
done
  Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
  Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
Segmentation fault: 11 (core dumped)
su-3.2#





On Wed, Aug 17, 2011 at 12:40 PM, waldo kitty <wkitty42 () windstream net> wrote:

On 8/17/2011 11:07, alexus wrote:

it seems like it's failing on part #5 (preprocessors(rpc_decode))


su-3.2# snort -sc /usr/local/etc/snort.conf
Running in IDS mode

         --== Initializing Snort ==--

[TRIM]

rpc_decode arguments:
     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779
     alert_fragments: INACTIVE
     alert_large_fragments: INACTIVE
     alert_incomplete: INACTIVE
     alert_multiple_requests: INACTIVE
Segmentation fault: 11 (core dumped)
su-3.2#


in my (old) snort (Snort 2.8.6.1 GRE (Build 39)), the next line is the loading
of the Portscan Detection Config... it is immediately after the
alert_multiple_requests line... then i have the following sections...

 FTPTelnet Config
 SMTP Config
 SSH Config
 DCE/RPC 2 Preprocessor Configuration
 DNS Configuration
 SSLPP config
 Initializing rule chains...

maybe this helps somewhat?

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!





-- 
http://alexus.org/

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: