Snort mailing list archives
Snort SIP Preprocessor error
From: Jesse Whyte <jesse.whyte () argoc com>
Date: Wed, 22 Aug 2012 12:13:44 -0400
List members, I've successfully compiled snort 2.9.3.1 on an Ubuntu 12.04 box running kernel version 3.2.0-29. I'm trying to hand-compile from source rather than use the packaged version. The configure appears to execute successfully, as does the make. After configuring oinkmaster and running snort with generic rules, I'm encountering the following strange error: Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8888 9 090:9091 9443 9999 11371 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Log directory = /var/log/snort WARNING: ip4 normalizations disabled because not inline. WARNING: tcp normalizations disabled because not inline. WARNING: icmp4 normalizations disabled because not inline. WARNING: ip6 normalizations disabled because not inline. WARNING: icmp6 normalizations disabled because not inline. Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Bound Address: default Target-based policy: WINDOWS Fragment timeout: 180 seconds Fragment min_ttl: 1 Fragment Anomalies: Alert Overlap Limit: 10 Min fragment Length: 100 Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 262144 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 Track ICMP sessions: INACTIVE Track IP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Send up to 2 active responses Wait at least 5 seconds between responses Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16384 Stream5 TCP Policy config: Bound Address: default Reassembly Policy: WINDOWS Timeout: 180 seconds Limit on TCP Overlaps: 10 Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Options: Require 3-Way Handshake: YES 3-Way Handshake Timeout: 180 Detect Anomalies: YES Reassembly Ports: 21 client (Footprint) 22 client (Footprint) 23 client (Footprint) 25 client (Footprint) 42 client (Footprint) 53 client (Footprint) 79 client (Footprint) 80 client (Footprint) server (Footprint) 81 client (Footprint) server (Footprint) 109 client (Footprint) 110 client (Footprint) 111 client (Footprint) 113 client (Footprint) 119 client (Footprint) 135 client (Footprint) 136 client (Footprint) 137 client (Footprint) 139 client (Footprint) 143 client (Footprint) 161 client (Footprint) additional ports configured but not printed. Stream5 UDP Policy config: Timeout: 180 seconds HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip Sessions: 9532 Gzip Compress Depth: 65535 Gzip Decompress Depth: 65535 DEFAULT SERVER CONFIG: Server profile: All Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 Server Flow Depth: 0 Client Flow Depth: 0 Max Chunk Length: 500000 Max Header Field Length: 750 Max Number Header Fields: 100 Max Number of WhiteSpaces allowed with header folding: 200 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: YES Inspect HTTP Responses: YES Extract Gzip from responses: YES Unlimited decompression of gzip data from responses: YES Normalize Javascripts in HTTP Responses: NO Normalize HTTP Cookies: NO Enable XFF and True Client IP: NO Log HTTP URI data: NO Log HTTP Hostname data: NO Extended ASCII code support in URI: NO Ascii: YES alert: NO Double Decoding: YES alert: NO %U Encoding: YES alert: YES Bare Byte: YES alert: NO UTF 8: YES alert: NO IIS Unicode: YES alert: NO Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: NO Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 alert_fragments: INACTIVE alert_large_fragments: INACTIVE alert_incomplete: INACTIVE alert_multiple_requests: INACTIVE ERROR size 440 != 432 ERROR: Failed to initialize dynamic preprocessor: SF_SIP (IPV6) version 1.1.1 (-2) Fatal Error, Quitting.. Everything looks fairly normal. The snort.conf file is basically stock. As a first step in trying to isolate the problem, I disabled the sip preprocessor with the following lines in the config file: # SIP Session Initiation Protocol preprocessor. For more information see README.sip preprocessor sip: max_sessions 10000, \ disabled # ports { 5060 5061 5600 }, \ # methods { invite \ # cancel \ # ack \ # bye \ # register \ # options \ # refer \ # subscribe \ # update \ # join \ # info \ # message \ # notify \ # benotify \ # do \ # qauth \ # sprack \ # publish \ # service \ # unsubscribe \ # prack }, \ # max_uri_len 512, \ # max_call_id_len 80, \ # max_requestName_len 20, \ # max_from_len 256, \ # max_to_len 256, \ # max_via_len 1024, \ # max_contact_len 512, \ # max_content_len 1024 (Whereas previously, I had the standard preprocessor config.) Disabling the processor as above did not change the snort output. There does not seem to be anything in the configure output that seems to indicate problems with SIP. Can anyone offer any insight into this issue? Many thanks, Jesse Whyte
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort SIP Preprocessor error Jesse Whyte (Aug 22)
- Re: Snort SIP Preprocessor error Joel Esler (Aug 22)