Snort mailing list archives

Fatal error when starting snort on the sensor

From: Juan Fernandez <Juan.Fernandez () deltathree com>
Date: Sat, 18 Sep 2004 05:28:00 +0300

 
 

Hi !!! 


It seems that I just had to comment out this:
 
#preprocessor http_inspect_server: server 1.1.1.1 \

ports { 80 3128 8080 } \

flow_depth 0 \

ascii no \

 

but now I receive another fatal error !!!   :-(

 
here is what I see now In /var/log/messeges:
 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(30):
Duplicate classification "not-suspicious"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(31):
Duplicate classification "unknown"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(32):
Duplicate classification "bad-unknown"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(33):
Duplicate classification "attempted-recon"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(34):
Duplicate classification "successful-recon-limited"found, ignoring this line

Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(35):
Duplicate classification "successful-recon-largescale"found, ignoring this
line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(36):
Duplicate classification "attempted-dos"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(37):
Duplicate classification "successful-dos"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(38):
Duplicate classification "attempted-user"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(39):
Duplicate classification "unsuccessful-user"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(40):
Duplicate classification "successful-user"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(41):
Duplicate classification "attempted-admin"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(42):
Duplicate classification "successful-admin"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(46):
Duplicate classification "rpc-portmap-decode"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(47):
Duplicate classification "shellcode-detect"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(48):
Duplicate classification "string-detect"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(49):
Duplicate classification "suspicious-filename-detect"found, ignoring this
line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(50):
Duplicate classification "suspicious-login"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(51):
Duplicate classification "system-call-detect"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(52):
Duplicate classification "tcp-connection"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(53):
Duplicate classification "trojan-activity"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(54):
Duplicate classification "unusual-client-port-connection"found, ignoring
this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(55):
Duplicate classification "network-scan"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(56):
Duplicate classification "denial-of-service"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(57):
Duplicate classification "non-standard-protocol"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(58):
Duplicate classification "protocol-command-decode"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(59):
Duplicate classification "web-application-activity"found, ignoring this line

Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(60):
Duplicate classification "web-application-attack"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(61):
Duplicate classification "misc-activity"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(62):
Duplicate classification "misc-attack"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(63):
Duplicate classification "icmp-event"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(64):
Duplicate classification "kickass-porn"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(65):
Duplicate classification "policy-violation"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: /etc/snort/classification.config(66):
Duplicate classification "default-login-attempt"found, ignoring this line 
Sep 18 00:50:17 sensjrlan snort: FATAL ERROR: Undefined variable name:
(/etc/snort/rules/bad-traffic.rules:12): EXTERNAL_NET
 
 
what to do ?
 
thanks very much !!!
 

Original Message-----
From: Esler, Joel - Contractor [mailto:joel.esler () rcert-s army mil]
Sent: Friday, September 17, 2004 10:13 PM
To: Juan Fernandez
Subject: RE: [Snort-users] Fatal error when starting snort on the sensor



 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Juan Fernandez
Sent: Friday, September 17, 2004 2:11 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Fatal error when starting snort on the sensor



Hi Guys!!    

 

When I start snort manually from the command line /etc/init.d/snort start I
see that snort starts:

 

Starting Intrusion Database System: SNORT

SNORT is up and running!

 

On /var/log/messeges I see:

 

Sep 17 21:02:54 sensjrlan snort: FATAL ERROR: /etc/snort/snort.conf(458) =>
Unknown rule type: ports

 

In snort.conf the 458 line is this:

 

output database: alert, mysql, user=snort password=snort dbname=snort
host=208.170.171.199 sensor_name=sensjrlan

 

Mysql and acid are on another server (208.170.171.199) I checked that I can
telnet to port 3306 so what's wrong ?

 

Thanks very much!!!

Current thread:

Fatal error when starting snort on the sensor Juan Fernandez (Sep 17)
- Re: Fatal error when starting snort on the sensor sekure (Sep 17)
- Message not available
  - Re: Fatal error when starting snort on the sensor Matt Kettler (Sep 17)
- <Possible follow-ups>
- Fatal error when starting snort on the sensor Juan Fernandez (Sep 17)
  - Re: Fatal error when starting snort on the sensor Jason (Sep 17)
  - Re: Fatal error when starting snort on the sensor Joel Esler (Sep 20)
- Re: Fatal error when starting snort on the sensor sekure (Sep 20)