Re: snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include"

[Agent Smith <news8080 () yahoo com>]

That did it. makes perfect sense too; it just needed a second set of eyes..

Thanks,

--- On Mon, 10/5/09, Todd Wease <twease () sourcefire com> wrote:

> From: Todd Wease <twease () sourcefire com>
> Subject: Re: [Snort-users] snort 2.8.5 on x64 centos and "ERROR: Invalid argument: include"
> To: "Agent Smith" <news8080 () yahoo com>
> Cc: snort-users () lists sourceforge net
> Date: Monday, October 5, 2009, 11:00 AM
>
> preprocessor sfportscan: proto  { all } \
>                
>          memcap { 10000000 }
> \
>                
>   max_client_bytes 19600 \
>                
>   max_encrypted_packets 20 \
>
>
> Remove the final back slash in the portscan
> configuration...
>
>
> Agent Smith wrote:
> > If I un-comment all the include statements
> (classification.config, reference.config and all rules) it
> works fine so its not the pre-processors.
> > Here is the snort.conf that I use WITH the includes
> that I want and its broken unless I take out the includes.
> > ====== cut here START
> > var RULE_PATH /etc/snort/rules
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS $HOME_NET
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS $HOME_NET
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > var FTP_SERVERS $HOME_NET
> > var SSH_SERVERS $HOME_NET
> > var POP_SERVERS $HOME_NET
> > var IMAP_SERVERS $HOME_NET
> > var RPC_SERVERS $HOME_NET
> > var WWW_SERVERS $HOME_NET
> > var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,2
> > 05.188.179.0/24,205.188.248.0/24]
> > portvar HTTP_PORTS
> [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
> > portvar SHELLCODE_PORTS any 
> > portvar ORACLE_PORTS 1024: 
> > portvar AUTH_PORTS 113
> > portvar DNS_PORTS 53
> > portvar FINGER_PORTS 79
> > portvar FTP_PORTS 21
> > portvar IMAP_PORTS 143
> > portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
> > portvar MSSQL_PORTS 1433
> > portvar NNTP_PORTS 119
> > portvar POP2_PORTS 109
> > portvar POP3_PORTS 110
> > portvar SUNRPC_PORTS
> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
> > portvar RLOGIN_PORTS 513
> > portvar RSH_PORTS 514
> > portvar SMB_PORTS [139,445]
> > portvar SMTP_PORTS 25
> > portvar SNMP_PORTS 161
> > portvar SSH_PORTS 22
> > portvar TELNET_PORTS 23
> > portvar MAIL_PORTS [25,143,465,691]
> > portvar SSL_PORTS [25,443,465,636,993,995]
> > portvar DCERPC_NCACN_IP_TCP [139,445]
> > portvar DCERPC_NCADG_IP_UDP [138,1024:]
> > portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
> > portvar DCERPC_NCACN_UDP_LONG [135,1024:]
> > portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
> > portvar DCERPC_NCACN_TCP [2103,2105,2107]
> > portvar DCERPC_BRIGHTSTORE [6503,6504]
> > config disable_decode_alerts
> > config disable_tcpopt_experimental_alerts
> > config disable_tcpopt_obsolete_alerts
> > config disable_tcpopt_ttcp_alerts
> > config disable_tcpopt_alerts
> > config disable_ipopt_alerts
> > config enable_decode_oversized_alerts
> > config checksum_mode: all
> > config disable_ttcp_alerts
> > config disable_decode_drops
> > config pcre_match_limit: 1500
> > config pcre_match_limit_recursion: 1500
> > config detection: search-method ac-bnfa
> > dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
> > dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
> > dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
> > dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
> > dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
> > dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
> > dynamicengine
> /usr/local/lib/snort_dynamicengine/libsf_engine.so
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy windows timeout 180
> > preprocessor stream5_global: max_tcp 8192, track_tcp
> yes, \
> >                
>               track_udp
> yes
> > preprocessor stream5_tcp: policy windows,
> use_static_footprint_sizes, \
> > preprocessor stream5_udp: ignore_any_rules
> > preprocessor http_inspect: global iis_unicode_map
> unicode.map 1252 
> >      server default \
> >      apache_whitespace no \
> >      ascii no \
> >      bare_byte no \
> >      iis_backslash no \
> >      multi_slash no \
> >      non_rfc_char { 0x00 0x01 0x02
> 0x03 0x04 0x05 0x06 0x07 } \
> > preprocessor sfportscan: proto  { all } \
> >                
>           memcap { 10000000 } \
> >                
>    max_client_bytes 19600 \
> >                
>    max_encrypted_packets 20 \
> > include classification.config
> > include $RULE_PATH/local.rules
> > include $RULE_PATH/scan.rules
> > include $RULE_PATH/web-frontpage.rules
> >
> > ====== cut here END
> >
> >
> > --- On Mon, 10/5/09, Todd Wease <twease () sourcefire com>
> wrote:
> >    
> > > From: Todd Wease <twease () sourcefire com>
> > > Subject: Re: [Snort-users] snort 2.8.5 on x64
> centos and "ERROR: Invalid argument: include"
> > > To: "Agent Smith" <news8080 () yahoo com>
> > > Cc: snort-users () lists sourceforge net
> > > Date: Monday, October 5, 2009, 9:46 AM
> > > On 10/05/2009 09:14 AM, Agent Smith
> > > wrote:
> > >      
> > > > I just installed snort 2.8.5 with the
> following
> > > >        
> > > configure;make ;make install. I didn't modify the
> default
> > > config file and tried to run it and it gave me
> include
> > > errors like listed below. The only thing I changed
> was
> > > RULE_PATH and that's it.
> > >      
> > > > /configure --enable-dynamicplugin
> > > >        
> > > --enable-timestats  --enable-ppm
> > > --enable-perfprofiling  --enable-gre
> --with-mysql
> > > --libdir=/usr/lib64 --with-libdir=lib64
> > > --with-mysql-libraries=/usr/lib64/mysql/
> > >      
> > > > var RULE_PATH /etc/snort/rules
> > > >
> > > > # snort -i eth3 -c /etc/snort/etc/snort.conf 
> > > >        
> > > --dynamic-preprocessor-lib-dir
> > > /usr/local/lib/snort_dynamicpreprocessor -vvv
> > >      
> > > > ..
> > > > ..
> > > > ..
> > > > Portscan Detection Config:
> > > >        Detect
> Protocols:  TCP UDP
> > > >        
> > > ICMP IP
> > >      
> > > >        Detect Scan
> Type:  portscan
> > > >        
> > > portsweep decoy_portscan distributed_portscan
> > >      
> > > >        Sensitivity
> Level: Low
> > > >        Memcap (in
> bytes): 10000000
> > > >        Number of
> > > >        
> > > Nodes:   31347
> > >      
> > > > ERROR: Invalid argument: include
> > > > Fatal Error, Quitting..
> > > >
> > > >
> > > > Anyone? I don't even know where to look. Its a
> 64bit
> > > >        
> > > centos 5 install.
> > >      
> > > Can you take a look at your dns and ssh
> configurations -
> > > looks like it 
> > > might be coming from one of those.  If you
> don't find
> > > any problems, can 
> > > you post your snort.conf or send to me directly?
> (obfuscate
> > > any 
> > > sensitive information in it first)
> > >
> > >      
> >
> >
> >        
> >    


      

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users