snort-users August 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] FATAL ERROR: /usr/local/etc/snort

Re: [Snort-users] FATAL ERROR: /usr/local/etc/snort.conf(45) Unknown rule type: ipvar.

From: JJC <cummingsj_at_nospam>
Date: Tue Aug 16 2011 - 14:48:36 GMT
To: alexus <alexus@gmail.com>

you need to build snort with --enable-zlib for that one

On Tue, Aug 16, 2011 at 8:36 AM, alexus <alexus@gmail.com> wrote:

> also if I take a snort.conf that came with distro (2.9.0.5)
>
> snort stops on following
>
> Aug 16 14:29:00 dd snort[53724]: FATAL ERROR:
> /usr/local/etc/snort.conf(212) => Invalid keyword 'compress_depth' for
> 'global' configuration.
>
> when I tried with snort.conf that came with rules I've got same message
>
> Aug 16 14:35:32 dd snort[55489]: FATAL ERROR:
> /usr/local/etc/snort.conf(265) => Invalid keyword 'compress_depth' for
> 'global' configuration.
>
>
>
> On Tue, Aug 16, 2011 at 1:06 AM, alexus <alexus@gmail.com> wrote:
> > I have following in my snort.conf (top section)
> >
> > # OPTIONS : --enable-ipv6 --enable-gre --enable-mpls
> > --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
> > --enable-perfprofiling --enable-zlib --enable-active-response
> > --enable-normalizer --enable-reload --enable-react --enable-flexresp3
> >
> > I went ahead and recompile it with all that yet I still get same results
> >
> > On Mon, Aug 15, 2011 at 10:22 PM, Joel Esler <jesler@sourcefire.com>
> wrote:
> >> Look at the top of the snort.conf file. You should see our recommended
> >> compile options.
> >>
> >> Sent from my iPhone
> >> On Aug 15, 2011, at 21:32, alexus <alexus@gmail.com> wrote:
> >>
> >> Anything specific ?
> >>
> >> On Aug 15, 2011 8:59 PM, "Joel Esler" <jesler@sourcefire.com> wrote:
> >>> Sounds like you may need to take a look at our recommended compile
> options
> >>> at the top of the snort.conf in the etc/ directory.
> >>>
> >>> Check that out.
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On Aug 15, 2011, at 20:20, alexus <alexus@gmail.com> wrote:
> >>>
> >>>> ok, done
> >>>> i dont have ipv6 enabled on my system so you were right as soon as i
> >>>> changed ipvar to var it went through that
> >>>> but it complain on something else...
> >>>>
> >>>> Aug 16 00:16:41 dd snort[22515]: Running in IDS mode
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: --== Initializing Snort ==--
> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Output Plugins!
> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Preprocessors!
> >>>> Aug 16 00:16:41 dd snort[22515]: Initializing Plug-ins!
> >>>> Aug 16 00:16:41 dd snort[22515]: Parsing Rules file
> >>>> "/usr/local/etc/snort.conf"
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'HTTP_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 80:81 311 591 593 901 1220 1414
> >>>> 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080
> >>>> 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SHELLCODE_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 0:79 81:65535 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'ORACLE_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 1024:65535 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'SSH_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 22 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: PortVar 'FTP_PORTS' defined :
> >>>> Aug 16 00:16:41 dd snort[22515]: [ 21 2100 3535 ]
> >>>> Aug 16 00:16:41 dd snort[22515]:
> >>>> Aug 16 00:16:41 dd snort[22515]: Detection:
> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method = AC-Full-Q
> >>>> Aug 16 00:16:41 dd snort[22515]: Split Any/Any group = enabled
> >>>> Aug 16 00:16:41 dd snort[22515]: Search-Method-Optimizations = enabled
> >>>> Aug 16 00:16:41 dd snort[22515]: Maximum pattern length = 20
> >>>> Aug 16 00:16:41 dd snort[22515]: Tagged Packet Limit: 256
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic engine
> >>>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic detection libs
> >>>> from /usr/local/lib/snort_dynamicrules...
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic detection library
> >>>> /usr/local/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >>>> detection libs from /usr/local/lib/snort_dynamicrules
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading all dynamic preprocessor libs
> >>>> from /usr/local/lib/snort_dynamicpreprocessor/...
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>>
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> >>>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Loading dynamic preprocessor
> >>>> library
> /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
> >>>> Aug 16 00:16:41 dd snort[22515]: done
> >>>> Aug 16 00:16:41 dd snort[22515]: Finished Loading all dynamic
> >>>> preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
> >>>> Aug 16 00:16:41 dd snort[22515]: Log directory = /var/log/snort
> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 global config:
> >>>> Aug 16 00:16:41 dd snort[22515]: Max frags: 65536
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment memory cap: 4194304 bytes
> >>>> Aug 16 00:16:41 dd snort[22515]: Frag3 engine config:
> >>>> Aug 16 00:16:41 dd snort[22515]: Target-based policy: WINDOWS
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment timeout: 180 seconds
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment min_ttl: 1
> >>>> Aug 16 00:16:41 dd snort[22515]: Fragment Problems: 1
> >>>> Aug 16 00:16:41 dd snort[22515]: Overlap Limit: 10
> >>>> Aug 16 00:16:41 dd snort[22515]: Min fragment Length: 100
> >>>> Aug 16 00:16:41 dd snort[22515]: FATAL ERROR:
> >>>> /usr/local/etc/snort.conf(246) => Unknown Stream5 global option
> >>>> (max_active_responses 2)
> >>>>
> >>>>
> >>>> # Target-Based stateful inspection/stream reassembly. For more
> >>>> inforation, see README.stream5
> >>>> preprocessor stream5_global: track_tcp yes, \
> >>>> track_udp yes, \
> >>>> track_icmp no, \
> >>>> max_tcp 262144, \
> >>>> max_udp 131072, \
> >>>> max_active_responses 2, \
> >>>> min_response_seconds 5
> >>>>
> >>>> for whatever reason(s) now it doesnt like this line:
> >>>>
> >>>> min_response_seconds 5
> >>>>
> >>>> or according to syslog line
> >>>>
> >>>> max_active_responses 2, \
> >>>>
> >>>>
> >>>>
> >>>> On Mon, Aug 15, 2011 at 5:40 PM, waldo kitty <wkitty42@windstream.net
> >
> >>>> wrote:
> >>>>> On 8/15/2011 17:15, alexus wrote:
> >>>>>> line 45 of /usr/local/etc/snort.conf states:
> >>>>>>
> >>>>>> ipvar HOME_NET [64.237.55.65/27]
> >>>>>>
> >>>>>> I dont understand why it's complaining ...
> >>>>>
> >>>>> IIRC, ipvar is for IPv6 stuff... if you do not have IPv6 enabled in
> your
> >>>>> snort
> >>>>> compile, it won't work... use var instead of ipvar...
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> ------------------------------------------------------------------------------
> >>>>> uberSVN's rich system and user administration capabilities and model
> >>>>> configuration take the hassle out of deploying and managing
> Subversion
> >>>>> and
> >>>>> the tools developers use with it. Learn more about uberSVN and get a
> >>>>> free
> >>>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users@lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>>
> >>>>> Please see http://www.snort.org/docs for documentation
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> http://alexus.org/
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> uberSVN's rich system and user administration capabilities and model
> >>>> configuration take the hassle out of deploying and managing Subversion
> >>>> and
> >>>> the tools developers use with it. Learn more about uberSVN and get a
> free
> >>>> download at: http://p.sf.net/sfu/wandisco-dev2dev
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users@lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>> Please see http://www.snort.org/docs for documentation
> >>
> >
> >
> >
> > --
> > http://alexus.org/
> >
>
>
>
> --
> http://alexus.org/
>
>
> ------------------------------------------------------------------------------
> uberSVN's rich system and user administration capabilities and model
> configuration take the hassle out of deploying and managing Subversion and
> the tools developers use with it. Learn more about uberSVN and get a free
> download at: http://p.sf.net/sfu/wandisco-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at: http://p.sf.net/sfu/wandisco-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.