Re: [Snort-users] Rép. : Freebsd + snort (error when Snort start)

[Todd Wease <twease@sourcefire.com>]

FRANCIS PROVENCHER wrote:
> For more complete log it look like this;
>
>
>
> Dec 19 16:12:12 portableBS snort[28402]: Var 'lo0_ADDRESS' defined,
> value len = 19 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = 127.0.0.0/255.0.0.0
> Dec 19 16:12:12 portableBS snort[28402]: Parsing Rules file
> /usr/local/etc/snort/snort.conf
> Dec 19 16:12:12 portableBS snort[28402]: Var 'HOME_NET' defined, value
> len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'EXTERNAL_NET' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'DNS_SERVERS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'SMTP_SERVERS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'HTTP_SERVERS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'SQL_SERVERS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'TELNET_SERVERS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'SNMP_SERVERS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = any
> Dec 19 16:12:12 portableBS snort[28402]: Var 'HTTP_PORTS' defined,
> value len = 2 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = 80
> Dec 19 16:12:12 portableBS snort[28402]: Var 'SHELLCODE_PORTS' defined,
> value len = 3 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = !80
> Dec 19 16:12:12 portableBS snort[28402]: Var 'ORACLE_PORTS' defined,
> value len = 4 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value = 1521
> Dec 19 16:12:12 portableBS snort[28402]: Var 'AIM_SERVERS' defined,
> value len = 185 chars
> Dec 19 16:12:12 portableBS snort[28402]:
> Dec 19 16:12:12 portableBS snort[28402]:   
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188
> .3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
> Dec 19 16:12:12 portableBS snort[28402]:   
> .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> Dec 19 16:12:12 portableBS snort[28402]: Var 'RULE_PATH' defined, value
> len = 27 chars
> Dec 19 16:12:12 portableBS snort[28402]: , value =
> /usr/local/etc/snort/rules/
> Dec 19 16:12:12 portableBS snort[28402]: ,-----------[Flow
> Config]----------------------
> Dec 19 16:12:12 portableBS snort[28402]: | Stats Interval:  0
> Dec 19 16:12:12 portableBS snort[28402]: | Hash Method:     2
> Dec 19 16:12:12 portableBS snort[28402]: | Memcap:          10485760
> Dec 19 16:12:12 portableBS snort[28402]: | Rows  :          4099
> Dec 19 16:12:12 portableBS snort[28402]: | Overhead Bytes: 
> 16400(%0.16)
> Dec 19 16:12:12 portableBS snort[28402]:
> `----------------------------------------------
> Dec 19 16:12:12 portableBS snort[28402]: Frag3 global config:
> Dec 19 16:12:12 portableBS snort[28402]:     Max frags: 65536
> Dec 19 16:12:12 portableBS snort[28402]:     Fragment memory cap:
> 4194304 bytes
> Dec 19 16:12:12 portableBS snort[28402]: Frag3 engine config:
> Dec 19 16:12:12 portableBS snort[28402]:     Target-based policy:
> FIRST
> Dec 19 16:12:12 portableBS snort[28402]:     Fragment timeout: 60
> seconds
> Dec 19 16:12:12 portableBS snort[28402]:     Fragment min_ttl:   1
> Dec 19 16:12:12 portableBS snort[28402]:     Fragment ttl_limit: 5
> Dec 19 16:12:12 portableBS snort[28402]:     Fragment Problems: 1
> Dec 19 16:12:12 portableBS snort[28402]:     Bound Addresses:
> 0.0.0.0/0.0.0.0
> Dec 19 16:12:12 portableBS snort[28402]: Stream4 config:
> Dec 19 16:12:12 portableBS snort[28402]:     Stateful inspection:
> ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Session statistics:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Session timeout: 30
> seconds
> Dec 19 16:12:12 por
> tableBS snort[28402]:     Session memory cap:
> 8388608 bytes
> Dec 19 16:12:12 portableBS snort[28402]:     Session count max: 8192
> sessions
> Dec 19 16:12:12 portableBS snort[28402]:     Session cleanup count: 5
> Dec 19 16:12:12 portableBS snort[28402]:     State alerts: INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Evasion alerts: INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Scan alerts: INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Log Flushed Streams:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     MinTTL: 1
> Dec 19 16:12:12 portableBS snort[28402]:     TTL Limit: 5
> Dec 19 16:12:12 portableBS snort[28402]:     Async Link: 0
> Dec 19 16:12:12 portableBS snort[28402]:     State Protection: 0
> Dec 19 16:12:12 portableBS snort[28402]:     Self preservation
> threshold: 50
> Dec 19 16:12:12 portableBS snort[28402]:     Self preservation period:
> 90
> Dec 19 16:12:12 portableBS snort[28402]:     Suspend threshold: 200
> Dec 19 16:12:12 portableBS snort[28402]:     Suspend period: 30
> Dec 19 16:12:12 portableBS snort[28402]:     Enforce TCP State:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Midstream Drop Alerts:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Allow Blocking of TCP
> Sessions in Inline: ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Server Data Inspection
> Limit: -1
> Dec 19 16:12:12 portableBS snort[28402]: WARNING
> /usr/local/etc/snort/snort.conf(408) => flush_behavior set in config
> file, u
> sing old static flushpoints (0)
> Dec 19 16:12:12 portableBS snort[28402]: Stream4_reassemble config:
> Dec 19 16:12:12 portableBS snort[28402]:     Server reassembly:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Client reassembly: ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Reassembler alerts:
> ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Zero out flushed packets:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     Flush stream on alert:
> INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     flush_data_diff_size: 500
> Dec 19 16:12:12 portableBS snort[28402]:     Reassembler Packet
> Preferance : Favor Old
> Dec 19 16:12:12 portableBS snort[28402]:     Packet Sequence Overlap
> Limit: -1
> Dec 19 16:12:12 portableBS snort[28402]:     Flush behavior: Small
> (<255 bytes)
> Dec 19 16:12:12 portableBS snort[28402]:     Ports: 21 23 25 42 53 80
> 110 111 135 136 137 139 143 445 513 1433 1521 3306
> Dec 19 16:12:12 portableBS snort[28402]:     Emergency Ports: 21 23 25
> 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
>  3306
> Dec 19 16:12:12 portableBS snort[28402]: HttpInspect Config:
> Dec 19 16:12:12 portableBS snort[28402]:     GLOBAL CONFIG
> Dec 19 16:12:12 portableBS snort[28402]:       Max Pipeline Requests:  
>  0
> Dec 19 16:12:12 portableBS snort[28402]:       Inspection Type:        
>  STATELESS
> Dec 19 16:12:12 portableBS snort[28402]:       Detect Proxy Usage:     
>  NO
> Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map
> Filename: /usr/local/etc/snort/unicode.map
> Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map
> Codepage: 1252
> Dec 19 16:12:12 portableBS snort[28402]:     DEFAULT SERVER CONFIG:
> Dec 19 16:12:12 portableBS snort[28402]:       Server profile: All
> Dec 19 16:12:12 portableBS snort[28402]:       Ports: 80 8080 8180
> Dec 19 16:12:12 portableBS snort[28402]:       Flow Depth: 300
> Dec 19 16:12:12 portableBS snort[28402]:       Max Chunk Length:
> 500000
> Dec 19 16:12:12 portableBS snort[28402]:       Inspect Pipeline
> Requests: YES
> Dec 19 16:12:12 portableBS snort[28402]:       URI Discovery Strict
> Mode: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Allow Proxy Usage: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Disable Alerting: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Oversize Dir Length:
> 500
> Dec 19 16:12:12 portableBS snort[28402]:       Only inspect URI: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Ascii: YES alert: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Double Decoding: YES
> alert: YES
> Dec 19 16:12:12 portableBS snort[28402]:       %U Encoding:
>  YES alert:
> YES
> Dec 19 16:12:12 portableBS snort[28402]:       Bare Byte: YES alert:
> YES
> Dec 19 16:12:12 portableBS snort[28402]:       Base36: OFF
> Dec 19 16:12:12 portableBS snort[28402]:       UTF 8: OFF
> Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode: YES alert:
> YES
> Dec 19 16:12:12 portableBS snort[28402]:       Multiple Slash: YES
> alert: NO
> Dec 19 16:12:12 portableBS snort[28402]:       IIS Backslash: YES
> alert: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Directory Traversal: YES
> alert: NO
> Dec 19 16:12:12 portableBS snort[28402]:       Web Root Traversal: YES
> alert: YES
> Dec 19 16:12:12 portableBS snort[28402]:       Apache WhiteSpace: YES
> alert: NO
> Dec 19 16:12:12 portableBS snort[28402]:       IIS Delimiter: YES
> alert: NO
> Dec 19 16:12:12 portableBS snort[28402]:       IIS Unicode Map: GLOBAL
> IIS UNICODE MAP CONFIG
> Dec 19 16:12:12 portableBS snort[28402]:       Non-RFC Compliant
> Characters: NONE
> Dec 19 16:12:12 portableBS snort[28402]:       Whitespace Characters:
> 0x09 0x0b 0x0c 0x0d
> Dec 19 16:12:12 portableBS snort[28402]: rpc_decode arguments:
> Dec 19 16:12:12 portableBS snort[28402]:     Ports to decode RPC on:
> 111 32771
> Dec 19 16:12:12 portableBS snort[28402]:     alert_fragments: INACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     alert_large_fragments:
> ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     alert_incomplete: ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]:     alert_multiple_requests:
> ACTIVE
> Dec 19 16:12:12 portableBS snort[28402]: Portscan Detection Config:
> Dec 19 16:12:12 portableBS snort[28402]:     Detect Protocols:  TCP UDP
> ICMP IP
> Dec 19 16:12:12 portableBS snort[28402]:     Detect Scan Type: 
> portscan portsweep decoy_portscan distributed_portscan
> Dec 19 16:12:12 portableBS snort[28402]:     Sensitivity Level: Low
> Dec 19 16:12:12 portableBS snort[28402]:     Memcap (in bytes):
> 10000000
> Dec 19 16:12:12 portableBS snort[28402]:     Number of Nodes:   36900
> Dec 19 16:12:12 portableBS snort[28402]:
> Dec 19 16:12:13 portableBS snort[28402]: Tagged Packet Limit: 256
> Dec 19 16:12:13 portableBS snort[28402]:
> Dec 19 16:12:13 portableBS snort[28402]:
> +-----------------------[thresholding-config]----------------------------------
> Dec 19 16:12:13 portableBS snort[28402]: | memory-cap : 1048576 bytes
> Dec 19 16:12:13 portableBS snort[28402]:
> +-----------------------[thresholding-global]----------------------------------
> Dec 19 16:12:13 portableBS snort[28402]: | none
> Dec 19 16:12:13 portableBS snort[28402]:
> +-----------------------[thresholding-local]-----------------------------------
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3152   
>    type=Threshold tracking=src count=5   seconds=2
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7760   
>    type=Limit     tracking=src count=1   seconds=600
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6127   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7801   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7706   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6128   
>    type=Limit     tracking=src count=1   seconds=600
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7649   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7758   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7669   
>    type=Limit     tracking=src count=1   seconds=120
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7646   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7068   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7759   
>    type=Lim
> it     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5322   
>    type=Limit     tracking=src count=1   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7069   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7118   
>    type=Limit     tracking=src count=1   seconds=600
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7712   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5321   
>    type=Limit     tracking=src count=1   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3542   
>    type=Threshold tracking=src count=5   seconds=2
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2924   
>    type=Threshold tracking=dst count=10  seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7655   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7711   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6336   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7861   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2275   
>    type=Threshold tracking=dst count=5   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7613   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7074   
>    type=Limit     tracking=src count=1   seconds=600
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2923   
>    type=Threshold tracking=dst count=10  seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6146   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6176   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6176   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7642   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6322   
>    type=Limit     tracking=src count=1   seconds=3000
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7802   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6398   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7727   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6321   
>    type=Limit     tracking=src count=1   seconds=3000
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=4984   
>    type=Threshold tracking=src count=5   seconds=2
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=8477   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6122   
>    type=Limit     tracking=src count=1   seconds=600
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7647   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3543   
>    type=Threshold tracking=src count=5   seconds=2
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7624   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=5323   
>    type=Limit     tracking=src count=1   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=2523   
>    type=Both      tracking=dst count=10  seconds=10
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=8549   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7691   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7732   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7034   
>    type=Limit     tracking=src count=1   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3273   
>    type=Threshold tracking=src count=5   seconds=2
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7739   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7033   
>    type=Limit     tracking=src count=1   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6174   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6290   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=3527   
>    type=Limit     tracking=dst count=5   seconds=60
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6107   
>    type=Limit     tracking=src count=1   seconds=600
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=6324   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]: | gen-id=1      sig-id=7822   
>    type=Limit     tracking=src count=1   seconds=300
> Dec 19 16:12:13 portableBS snort[28402]:
> +-----------------------[suppression]------------------------------------------
> Dec 19 16:12:13 portableBS snort[28402]: | none
> Dec 19 16:12:13 portableBS snort[28402]:
> -------------------------------------------------------------------------------
> Dec 19 16:12:13 portableBS snort[28402]: Rule application order:
> ->activation->dynamic->pass->drop->alert->log
> Dec 19 16:12:13 portableBS snort[28402]: Log directory =
> /var/log/snort
> Dec 19 16:12:13 portableBS snort[28402]: Loading dynamic engine
> /usr/local/lib/snort/dynamicengine/libsf_engine.so...
> Dec 19 16:12:13 portableBS snort[28402]: done
> Dec 19 16:12:13 portableBS snort[28402]: Loading all dynamic
> preprocessor libs from /usr/local/lib/snort/dynamicpreprocessor/
> ...
> Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> library /usr/local/lib/snort/dynamicpreprocessor//lib
> sf_ftptelnet_preproc.so...
> Dec 19 16:12:13 portableBS snort[28402]: done
> Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> library /usr/local/lib/snort/dynamicpreprocessor//lib
> sf_smtp_preproc.so...
> Dec 19 16:12:13 portableBS snort[28402]: done
> Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> library /usr/local/lib/snort/dynamicpreprocessor//lib
> sf_ssh_preproc.so...
> Dec 19 16:12:13 portableBS snort[28402]: done
> Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> library /usr/local/lib/snort/dynamicpreprocessor//lib
> sf_dcerpc_preproc.so...
> Dec 19 16:12:13 portableBS snort[28402]: done
> Dec 19 16:12:13 portableBS snort[28402]:   Loading dynamic preprocessor
> library /usr/local/lib/snort/dynamicpreprocessor//lib
> sf_dns_preproc.so...
> Dec 19 16:12:13 portableBS snort[28402]: done
> Dec 19 16:12:13 portableBS snort[28402]:   Finished Loading all dynamic
> preprocessor libs from /usr/local/lib/snort/dynamicpr
> eprocessor/
> Dec 19 16:12:13 portableBS snort[28402]: FTPTelnet Config:
> Dec 19 16:12:13 portableBS snort[28402]:     GLOBAL CONFIG
> Dec 19 16:12:13 portableBS snort[28402]:       Inspection Type:
> stateful
> Dec 19 16:12:13 portableBS snort[28402]:       Check for Encrypted
> Traffic: YES alert: YES
> Dec 19 16:12:13 portableBS snort[28402]:       Continue to check
> encrypted data: NO
> Dec 19 16:12:13 portableBS snort[28402]:     TELNET CONFIG:
> Dec 19 16:12:13 portableBS snort[28402]:       Ports: 23
> Dec 19 16:12:13 portableBS snort[28402
> ]:       Are You There Threshold:
> 200
> Dec 19 16:12:13 portableBS snort[28402]:       Normalize: YES
> Dec 19 16:12:13 portableBS snort[28402]:       Detect Anomalies: NO
> Dec 19 16:12:13 portableBS snort[28402]:     FTP CONFIG:
> Dec 19 16:12:13 portableBS snort[28402]:       FTP Server: default
> Dec 19 16:12:13 portableBS snort[28402]:         Ports: 21
> Dec 19 16:12:13 portableBS snort[28402]:         Check for Telnet Cmds:
> YES alert: YES
> Dec 19 16:12:13 portableBS snort[28402]:         Identify open data
> channels: YES
> Dec 19 16:12:13 portableBS snort[28402]:       FTP Client: default
> Dec 19 16:12:13 portableBS snort[28402]:         Check for Bounce
> Attacks: YES alert: YES
> Dec 19 16:12:13 portableBS snort[28402]:         Check for Telnet Cmds:
> YES alert: YES
> Dec 19 16:12:13 portableBS snort[28402]:         Max Response Length:
> 256
> Dec 19 16:12:13 portableBS snort[28402]: SMTP Config:
> Dec 19 16:12:13 portableBS snort[28402]:       Ports:
> Dec 19 16:12:13 portableBS snort[28402]: 25
> Dec 19 16:12:13 portableBS snort[28402]:
> Dec 19 16:12:13 portableBS snort[28402]:       Inspection Type:        
>    STATEFUL
> Dec 19 16:12:13 portableBS snort[28402]:       Normalize Spaces:       
>    YES
> Dec 19 16:12:13 portableBS snort[28402]:       Ignore Data:            
>    NO
> Dec 19 16:12:13 portableBS snort[28402]:       Ignore TLS Data:        
>    NO
> Dec 19 16:12:13 portableBS snort[28402]:       Ignore Alerts:          
>    NO
> Dec 19 16:12:13 portableBS snort[28402]:       Max Command Length:     
>    0
> Dec 19 16:12:13 portableBS snort[28402]:       Max Header Line Length: 
>    0
> Dec 19 16:12:13 portableBS snort[28402]:       Max Response Line
> Length:   0
> Dec 19 16:12:13 portableBS snort[28402]:       X-Link2State Alert:     
>    YES
> Dec 19 16:12:13 portableBS snort[28402]:       Drop on X-Link2State
> Alert: NO
> Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> 'dce.bind.netware_cs' is checked but not ever set.
> Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> 'dce.isystemactivator.bind' is checked but not ever set.
> Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> 'dce.bind.veritas' is set but not ever checked.
> Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> 'realplayer.playlist' is checked but not ever set.
> Dec 19 16:12:13 portableBS snort[28402]: Warning: flowbits key
> 'ms_sql_seen_dns' is checked but not ever set.
> Dec 19 16:12:13 portableBS snort[28402]: 248 out of 512 flowbits in
> use.
> Dec 19 16:12:13 portableBS snort[28402]: *** *** interface device
> lookup found: rl0 ***
> Dec 19 16:12:13 portableBS snort[28402]: Initializing daemon mode
> Dec 19 16:12:13 portableBS snort[28403]: PID path stat checked out ok,
> PID path set to /var/run/
> Dec 19 16:12:13 portableBS snort[28403]: Writing PID "28403" to file
> "/var/run//snort_rl0.pid"
> Dec 19 16:12:13 portableBS snort[28402]: Daemon parent exiting
> Dec 19 16:12:13 portableBS snort[28403]: Daemon initialized, signaled
> parent pid: 28402
>
>
>
> If i lunch the command like this for example;
>
>
> /usr/local/bin/snort -i rl0 /usr/local/etc/snort/snort.conf
>
> i received this error message;
> .....
> Verifying Preprocessor Configurations!
> Warning: flowbits key 'dce.bind.netware_cs' is checked but not ever
> set.
> Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
> Warning: flowbits key 'realplayer.playlist' is checked but not ever
> set.
> Warning: flowbits key 'dce.isystemactivator.bind' is checked but not
> ever set.
> Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
> 248 out of 512 flowbits in use.
>
> Initializing Network Interface rl0
> ERROR: OpenPcap() FSM compilation failed:
>         syntax error
> PCAP command: /usr/local/etc/snort/snort.conf
> Fatal Error, Quitting..
>   
>


In the above command line you forgot to use the -c switch with the 
config file so Snort was trying to compile a bpf filter with the config 
path.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users