Snort mailing list archives
Fatal error when starting snort on the sensor
From: Juan Fernandez <Juan.Fernandez () deltathree com>
Date: Sat, 18 Sep 2004 05:28:00 +0300
Hi !!! It seems that I just had to comment out this: #preprocessor http_inspect_server: server 1.1.1.1 \ ports { 80 3128 8080 } \ flow_depth 0 \ ascii no \ but now I receive another fatal error !!! :-( here is what I see now In /var/log/messeges: Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(30): Duplicate classification "not-suspicious"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(31): Duplicate classification "unknown"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(32): Duplicate classification "bad-unknown"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(33): Duplicate classification "attempted-recon"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(34): Duplicate classification "successful-recon-limited"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(35): Duplicate classification "successful-recon-largescale"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(36): Duplicate classification "attempted-dos"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(37): Duplicate classification "successful-dos"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(38): Duplicate classification "attempted-user"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(39): Duplicate classification "unsuccessful-user"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(40): Duplicate classification "successful-user"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(41): Duplicate classification "attempted-admin"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(42): Duplicate classification "successful-admin"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(46): Duplicate classification "rpc-portmap-decode"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(47): Duplicate classification "shellcode-detect"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(48): Duplicate classification "string-detect"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(49): Duplicate classification "suspicious-filename-detect"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(50): Duplicate classification "suspicious-login"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(51): Duplicate classification "system-call-detect"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(52): Duplicate classification "tcp-connection"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(53): Duplicate classification "trojan-activity"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(54): Duplicate classification "unusual-client-port-connection"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(55): Duplicate classification "network-scan"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(56): Duplicate classification "denial-of-service"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(57): Duplicate classification "non-standard-protocol"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(58): Duplicate classification "protocol-command-decode"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(59): Duplicate classification "web-application-activity"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(60): Duplicate classification "web-application-attack"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(61): Duplicate classification "misc-activity"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(62): Duplicate classification "misc-attack"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(63): Duplicate classification "icmp-event"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(64): Duplicate classification "kickass-porn"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(65): Duplicate classification "policy-violation"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(66): Duplicate classification "default-login-attempt"found, ignoring this line Sep 18 00:50:17 sensjrlan snort: FATAL ERROR: Undefined variable name: (/etc/snort/rules/bad-traffic.rules:12): EXTERNAL_NET what to do ? thanks very much !!! Original Message----- From: Esler, Joel - Contractor [mailto:joel.esler () rcert-s army mil] Sent: Friday, September 17, 2004 10:13 PM To: Juan Fernandez Subject: RE: [Snort-users] Fatal error when starting snort on the sensor -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Juan Fernandez Sent: Friday, September 17, 2004 2:11 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Fatal error when starting snort on the sensor Hi Guys!! When I start snort manually from the command line /etc/init.d/snort start I see that snort starts: Starting Intrusion Database System: SNORT SNORT is up and running! On /var/log/messeges I see: Sep 17 21:02:54 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(458) => Unknown rule type: ports In snort.conf the 458 line is this: output database: alert, mysql, user=snort password=snort dbname=snort host=208.170.171.199 sensor_name=sensjrlan Mysql and acid are on another server (208.170.171.199) I checked that I can telnet to port 3306 so what's wrong ? Thanks very much!!!
Current thread:
- Fatal error when starting snort on the sensor Juan Fernandez (Sep 17)
- Re: Fatal error when starting snort on the sensor sekure (Sep 17)
- Message not available
- Re: Fatal error when starting snort on the sensor Matt Kettler (Sep 17)
- <Possible follow-ups>
- Fatal error when starting snort on the sensor Juan Fernandez (Sep 17)
- Re: Fatal error when starting snort on the sensor Jason (Sep 17)
- Re: Fatal error when starting snort on the sensor Joel Esler (Sep 20)
- Re: Fatal error when starting snort on the sensor sekure (Sep 20)