Snort mailing list archives

Re: Error while starting Snort 3

From: Y M via Snort-users <snort-users () lists snort org>
Date: Fri, 20 Jul 2018 16:03:11 +0000

Here is the output running Snort against an interface. Snort appears to be running even with the AppID message.

...
--------------------------------------------------
search engine
                instances: 776
                 patterns: 79423
            pattern chars: 1389733
               num states: 1059956
         num match states: 79409
             memory scale: MB
             total memory: 28.0291
           pattern memory: 4.35436
        match list memory: 10.7656
        transition memory: 12.8144
Could not read app_name. Line Snort Differs AppKey vmware-remote-auth -> vmware-remote-a
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] ens192

Can you please post the entire output of Snort, i.e.: run Snort without -q, as well as the command line used to run 
Snort? When I was testing, the errors in rules or configuration would show up early when Snort is loading/parsing these.

YM

________________________________
From: Ľubomír Bielik <lubomir.bielik.96 () gmail com>
Sent: Friday, July 20, 2018 6:21 PM
To: Y M
Subject: Re: [Snort-users] Error while starting Snort 3

Hi YM,

I can see, thanks, but unfortunately I am trying to run snort against interface, and snort quits immediately after 
encountering an error.
Dňa pi 20. 7. 2018, 16:51 Y M via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> 
napísal(a):
I have had the same AppID message but it never caused Snort to error out or quit. I just considered it a warning. 
Output of Snort running against a pcap is attached just in case if it helps.

YM
________________________________
From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Mike Stepanek (mstepane) via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Sent: Wednesday, July 18, 2018 7:53 PM
To: Ľubomír Bielik; snort-users () lists snort org<mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] Error while starting Snort 3

Correction: The entries in that file are tab-delineated (my fingers got ahead of my brain).

In the appMapping.data file that you shared with me, it looks like the very first line is "bogus" (the one that doesn't 
look like any other line). I just downloaded it myself, and I see the same issue that you see. Somewhere along the way, 
we must have started including a bad line at the top of that file. We will work on getting that resolved.

Also, it looks like Snort2 and Snort3 AppIDs have a difference stance on the fatalness of bad app entries. We'll work 
on resolving that as well (and make a clearer message).

In the meantime, you should be able to just remove that first line, and it should work just fine. So, delete this line 
at the top (it shouldn't be there):

    Snort Differs AppKey vmware-remote-auth -> vmware-remote-a

Thanks for the report!

 - Mike Stepanek
   mstepane () cisco com<mailto:mstepane () cisco com>


On 7/18/18, 10:40 AM, "Mike Stepanek (mstepane)" <mstepane () cisco com<mailto:mstepane () cisco com>> wrote:

    It seems to be complaining about your appMapping.data in your ODP (with what looks to be an odd line in it). Which 
ODP are you using? Did you modify it at all? Anything odd looking in it (each line should basically look the same with 
a comma-separated list of strings and numbers)? Anything odd about how you configured it? I don't suppose we can get 
the file...

     - Mike Stepanek
       mstepane () cisco com<mailto:mstepane () cisco com>


    On 7/18/18, 7:41 AM, "Snort-users on behalf of Ľubomír Bielik via Snort-users" <snort-users-bounces () lists snort 
org<mailto:snort-users-bounces () lists snort org> on behalf of snort-users () lists snort org<mailto:snort-users () 
lists snort org>> wrote:

        Hi all,

        I am trying to install snort 3 on VM with centos 7.5 with this guide,
        however I fail to run snort against an interface like shown in the
        end.
        Guide:
        https://www.snort.org/documents/snort-3-on-centos-7

        While initialising search engine, i get fatal error and snort quits. I
        found nothing about this specific error.

        Error:
        --------------------------------------------------
        search engine
                        instances: 791
                         patterns: 81091
                    pattern chars: 1416781
                       num states: 1081210
                 num match states: 81083
                     memory scale: MB
                     total memory: 28.5913
                   pattern memory: 4.44377
                match list memory: 10.981
                transition memory: 13.0699
        Could not read app_name. Line Snort Differs AppKey vmware-remote-auth
        -> vmware-remote-a
        --------------------------------------------------
        pcap DAQ configured to passive.
        FATAL: see prior 1 errors (0 warnings)
        Fatal Error, Quitting..


        Any help please?
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists snort org<mailto:Snort-users () lists snort org>
        Go to this URL to change user options or unsubscribe:
        https://lists.snort.org/mailman/listinfo/snort-users

         To unsubscribe, send an email to:
         snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

        Please visit http://blog.snort.org to stay current on all the latest Snort news!

        Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Error while starting Snort 3 Ľubomír Bielik via Snort-users (Jul 18)
- Re: Error while starting Snort 3 Y M via Snort-users (Jul 19)
- Re: Error while starting Snort 3 Mike Stepanek (mstepane) via Snort-users (Jul 19)
  - Re: Error while starting Snort 3 Mike Stepanek (mstepane) via Snort-users (Jul 19)
    - Re: Error while starting Snort 3 Y M via Snort-users (Jul 20)
    - Message not available
    - Re: Error while starting Snort 3 Y M via Snort-users (Jul 21)
- Re: Error while starting Snort 3 Russ via Snort-users (Jul 19)