Re: snort 2.9.9.0 error

["Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>]

This line controls which SWF file decompression algorithms are enabled.  By default, Snort is built with ZLIB (deflate) 
decompression libraries, but NOT LZMA libraries.  Specifying LZMA on this config line results in a config parsing error 
as without LZMA included, the LZMA keyword is unknown to the parser.  There is a pending bug to improve the parsing 
logic and produce a better error if/when the keyword is present but without LZMA support.

You can hashout (i.e. remove) this config line, but this will also remove the ZLIB/deflate file decompression mode 
also.  Removing the LZMA keyword will fix the parsing error but leave the deflate mode enabled.

Ed Borgoyn
Cisco Snort Development Team


From: Michael Steele <michaels () winsnort com>
Date: Friday, January 13, 2017 at 8:45 AM
To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] snort 2.9.9.0 error

What is the reason for changing the line below, shouldn’t it just be hashed out?

325:    decompress_swf { deflate lzma } \
325:    decompress_swf { deflate } \
Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************

From: Kumarswamy H N (kumhn) [mailto:kumhn () cisco com]
Sent: Friday, January 13, 2017 4:29 AM
To: Mojtaba Haghighipour <moj.haghighipour () gmail com>; Michael Steele <michaels () winsnort com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.9.0 error

Either you can install lzma package  or change the line 325 to decompress_swf { deflate } \

From: Mojtaba Haghighipour [mailto:moj.haghighipour () gmail com]
Sent: Friday, January 13, 2017 2:42 PM
To: Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] snort 2.9.9.0 error

it's  my 325 and 326 line..
325:    decompress_swf { deflate lzma } \
326:    decompress_pdf { deflate }
what should I do now??

On Fri, Jan 13, 2017 at 12:39 AM, Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>> wrote:
This has been around for months and should displayed as a warning and not a fatal error.

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************

From: Ed Borgoyn (eborgoyn) [mailto:eborgoyn () cisco com<mailto:eborgoyn () cisco com>]
Sent: Thursday, January 12, 2017 12:52 PM
To: Jim Campbell <jim () w4bqp net<mailto:jim () w4bqp net>>; snort-users () lists sourceforge net<mailto:snort-users 
() lists sourceforge net>
Subject: Re: [Snort-users] snort 2.9.9.0 error

Does line 326 of snort.conf look like:


decompress_swf { deflate lzma }


If so, then try removing the ‘lzma’ keyword.  If snort is not built with the LZMA libraries for LZMA SWF file 
decompression, then this keyword will lead to a syntax error.


Ed Borgoyn
Cisco Snort Development Team


From: Jim Campbell <jim () w4bqp net<mailto:jim () w4bqp net>>
Date: Thursday, January 12, 2017 at 12:20 PM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] snort 2.9.9.0 error

It's telling you that line 326 of snort.conf has an error. Perhaps a mismatched or out of place '}'
On 1/12/2017 2:28 AM, Mojtaba Haghighipour wrote:
hi ... it's error when I run snort with command:
snort -c  /etc/snort/rules/etc/snort.conf

ERROR: /etc/snort/rules/etc/snort.conf(326) => Invalid keyword '}' for server configuration.

Fatal Error, Quitting..





Please help me..





------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!