Snort mailing list archives

Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

From: "Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>
Date: Tue, 7 Jun 2022 14:36:09 +0000

I recommend them all, including dump, depending on use case. You need to read up on the modules available in the libdaq 
and snort3 repos to find out which apply to your case and how to use them:

libdaq:

./README.md
./modules/dump/README.dump.md
./modules/divert/README.divert.md
./modules/trace/README.trace.md
./modules/savefile/README.savefile.md
./modules/bpf/README.bpf.md
./modules/gwlb/README.gwlb.md
./modules/pcap/README.pcap.md
./modules/fst/README.fst.md
./modules/nfq/README.nfq.md
./modules/afpacket/README.afpacket.md
./modules/netmap/README.netmap.md

snort3:

./doc/user/daq.txt (or the user manual)

________________________________
From: Dorian ROSSE <dorianbrice () hotmail fr>
Sent: Tuesday, June 7, 2022 9:33 AM
To: Russ Combs (rucombs) <rucombs () cisco com>
Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

Hello,


What module you advice aside dump ?

Thanks you in advance for your answer,

Regards.


Dorian Rosse.
________________________________
From: Russ Combs (rucombs) <rucombs () cisco com>
Sent: Tuesday, June 7, 2022 3:15:08 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

You got the error because the dump DAQ module does not support these DAQ variables you are setting on the command line. 
They look like afpacket variables. Check the DAQ READMEs to select and configure an appropriate module for your needs.


________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Akshay Prabhakar via Snort-users <snort-users 
() lists snort org>
Sent: Monday, June 6, 2022 6:20 PM
To: Dorian ROSSE <dorianbrice () hotmail fr>
Cc: Snort-users () lists snort org <snort-users () lists snort org>; snort-devel () lists snort org <snort-devel () 
lists snort org>
Subject: Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30)

i fall on this error since i have install the rules for the next last snort 2.3.30 :

'''~/snort_src/snort3-3.1.21.0$ sudo snort -c /usr/local/etc/snort/snort.lua --daq-dir ../libdaq-3.0.7 --daq pcap --daq 
dump --daq-var lb_total=4 --daq-var fanout_type=hash -s 65535 -k all -l /var/log/snort -i enp0s25 --daq-var lb_id=1 -i 
wlp3s0 --daq-var lb_id=2 -z 2 -m 0x1b
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading inline.lua:
Finished inline.lua:
Loading talos.lua:
Finished talos.lua:
trace
output
alert_json
ips
dnp3
binder
wizard
detection
reputation
    Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist
    Reputation entries loaded: 801, invalid: 0, re-defined: 0 (from file 
/usr/local/etc/snort/../lists/default.blocklist)
appid
file_policy
file_id
http2_inspect
dce_tcp
active
dns
references
classifications
arp_spoof
snort
ERROR: /usr/local/etc/snort/snort.lua: snort.--daq-var is invalid
stream_user
stream_tcp
stream_icmp
stream_ip
profiler
alert_talos
stream
stream_udp
stream_file
back_orifice
imap
iec104
modbus
netflow
normalizer
pop
rpc_decode
sip
ssh
ssl
telnet
dce_smb
dce_udp
dce_http_proxy
dce_http_server
gtp_inspect
port_scan
smtp
ftp_server
ftp_client
ftp_data
http_inspect
alerts
daq
decode
host_cache
host_tracker
hosts
network
packets
process
search_engine
so_proxy
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
rule counts
       total rules loaded: 600
            builtin rules: 600
            option chains: 600
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     600       0       0       0
   total     600       0       0       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     600       0     600    /usr/local/etc/snort/snort.lua
--------------------------------------------------
dump:pcap DAQ configured to inline.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..

On Wed, May 25, 2022 at 12:23 AM Dorian ROSSE via Snort-users <snort-users () lists snort org<mailto:snort-users () 
lists snort org>> wrote:
hello,


i fall on this error since i have install the rules for the next last snort 2.3.30 :

'''~/snort_src/snort3-3.1.21.0$ sudo snort -c /usr/local/etc/snort/snort.lua --daq-dir ../libdaq-3.0.7 --daq pcap --daq 
dump --daq-var lb_total=4 --daq-var fanout_type=hash -s 65535 -k all -l /var/log/snort -i enp0s25 --daq-var lb_id=1 -i 
wlp3s0 --daq-var lb_id=2 -z 2 -m 0x1b
--------------------------------------------------
o")~   Snort++ 3.1.21.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading inline.lua:
Finished inline.lua:
Loading talos.lua:
Finished talos.lua:
trace
output
alert_json
ips
dnp3
binder
wizard
detection
reputation
    Processing blocklist file /usr/local/etc/snort/../lists/default.blocklist
    Reputation entries loaded: 801, invalid: 0, re-defined: 0 (from file 
/usr/local/etc/snort/../lists/default.blocklist)
appid
file_policy
file_id
http2_inspect
dce_tcp
active
dns
references
classifications
arp_spoof
snort
ERROR: /usr/local/etc/snort/snort.lua: snort.--daq-var is invalid
stream_user
stream_tcp
stream_icmp
stream_ip
profiler
alert_talos
stream
stream_udp
stream_file
back_orifice
imap
iec104
modbus
netflow
normalizer
pop
rpc_decode
sip
ssh
ssl
telnet
dce_smb
dce_udp
dce_http_proxy
dce_http_server
gtp_inspect
port_scan
smtp
ftp_server
ftp_client
ftp_data
http_inspect
alerts
daq
decode
host_cache
host_tracker
hosts
network
packets
process
search_engine
so_proxy
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
rule counts
       total rules loaded: 600
            builtin rules: 600
            option chains: 600
            chain headers: 1
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     600       0       0       0
   total     600       0       0       0
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     600       0     600    /usr/local/etc/snort/snort.lua
--------------------------------------------------
dump:pcap DAQ configured to inline.
FATAL: see prior 1 errors (0 warnings)
Fatal Error, Quitting..
'''

i don't understand the error,

thanks you in advance to help myself fully repair this snort or since the other e-mail for snort 2.3.30,

Regards.


Dorian ROSSE.
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


--
WITH REGARDS
AKSHAY.K.PRABHAKAR
akshayk.prabhakar () gmail com<mailto:akshayk.prabhakar () gmail com>

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
- Message not available
  - Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Russ Combs (rucombs) via Snort-devel (Jun 07)
    - Re: [Snort-users] snort 2.3.21 new error after install the rules for the next last snort (2.3.30) Dorian ROSSE via Snort-devel (Jun 13)