Snort mailing list archives

Re: Snort Services Failed to Start

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Mon, 17 Mar 2014 18:13:29 +0000
Right ... then you need to also delete this:

 /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so
________________________________________
From: Vona, Steven A CIV NSWCCD Philadelphia, 34117 [steven.vona () navy mil]
Sent: Monday, March 17, 2014 2:12 PM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

I just commented out the 6 lines pertaining to preprocessor pop and I am receiving the same error.



-----Original Message-----
From: Russ Combs (rucombs) [mailto:rucombs () cisco com]
Sent: Monday, March 17, 2014 2:04 PM
To: Vona, Steven A CIV NSWCCD Philadelphia, 34117; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

Something is out of sync between your Snort binary and your shared libs.  What happens if you comment pop out of your 
conf?  Is that the only thing that is borked?
________________________________________
From: Vona, Steven A CIV NSWCCD Philadelphia, 34117 [steven.vona () navy mil]
Sent: Monday, March 17, 2014 1:53 PM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

Sorry but that was a mistake (A typo).

I am deleting the preprocessors from:

/usr/local/lib/snort_dynamicpreprocessor/*

Not from

/usr/local/lib/snort/_dynamicpreprocessor/*

I have tried deleting everything from that directory and reinstalling, still receiving the same error.



-----Original Message-----
From: Russ Combs (rucombs) [mailto:rucombs () cisco com]
Sent: Monday, March 17, 2014 1:47 PM
To: Vona, Steven A CIV NSWCCD Philadelphia, 34117; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

I think wkitty is correct:

You are loading from here:
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...

But deleting from here:

rm -rf /usr/local/lib/snort/_dynamicpreprocessor/*

I will open a bug so that ERROR goes to the correct place.

________________________________________
From: Vona, Steven A CIV NSWCCD Philadelphia, 34117 [steven.vona () navy mil]
Sent: Monday, March 17, 2014 12:12 PM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

Genius...

Here is the error I am receiving when starting snort without the -D option.

ERROR size 840 != 864
ERROR: Failed to initialize dynamic preprocessor: SF_POP version 1.0.1 (-2) Fatal Error, Quitting..



-----Original Message-----
From: Russ Combs (rucombs) [mailto:rucombs () cisco com]
Sent: Monday, March 17, 2014 12:06 PM
To: Vona, Steven A CIV NSWCCD Philadelphia, 34117; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

To narrow it down, try starting w/o -D and w/o -M so that all output goes to console.  The ERROR should then appear 
somewhere more useful.  :) ________________________________________
From: Vona, Steven A CIV NSWCCD Philadelphia, 34117 [steven.vona () navy mil]
Sent: Monday, March 17, 2014 11:55 AM
To: Russ Combs (rucombs); snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

Thanks Russ,
I am using an init script to start snort, it is the same script that we use on 6 of our other sensors.

When I run the init script I only see:

Starting snort:  SnortERROR size 840 != 864

Oddly enough, there is no fatal error recorded in syslog.  Below is the full syslog.

Mar 17 11:46:26 bht3hprp snort[31253]: Running in IDS mode Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]:         --== Initializing Snort ==--
Mar 17 11:46:26 bht3hprp snort[31253]: Initializing Output Plugins!
Mar 17 11:46:26 bht3hprp snort[31253]: Initializing Preprocessors!
Mar 17 11:46:26 bht3hprp snort[31253]: Initializing Plug-ins!
Mar 17 11:46:26 bht3hprp snort[31253]: Parsing Rules file "/etc/snort/snort.conf"
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'HTTP_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 
7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 9443 9999 
11371 55555 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'SHELLCODE_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 0:79 81:65535 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'ORACLE_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 1024:65535 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'SSH_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 22 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'FTP_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 21 2100 3535 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'SIP_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 5060:5061 5600 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'FILE_DATA_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 80:81 110 143 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 
5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180:8181 8243 8280 8800 8888 8899 9080 9090:9091 
9443 9999 11371 55555 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: PortVar 'GTP_PORTS' defined :
Mar 17 11:46:26 bht3hprp snort[31253]:  [ 2123 2152 3386 ] Mar 17 11:46:26 bht3hprp snort[31253]:
Mar 17 11:46:26 bht3hprp snort[31253]: Detection:
Mar 17 11:46:26 bht3hprp snort[31253]:    Search-Method = AC-Full-Q
Mar 17 11:46:26 bht3hprp snort[31253]:     Split Any/Any group = enabled
Mar 17 11:46:26 bht3hprp snort[31253]:     Search-Method-Optimizations = enabled
Mar 17 11:46:26 bht3hprp snort[31253]:     Maximum pattern length = 20
Mar 17 11:46:26 bht3hprp snort[31253]: Tagged Packet Limit: 256 Mar 17 11:46:26 bht3hprp snort[31253]: Loading dynamic 
engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done Mar 17 11:46:26 bht3hprp snort[31253]: Loading all dynamic detection libs 
from /usr/local/lib/snort_dynamicrules...
Mar 17 11:46:26 bht3hprp snort[31253]: WARNING: No dynamic libraries found in directory 
/usr/local/lib/snort_dynamicrules.
Mar 17 11:46:26 bht3hprp snort[31253]:   Finished Loading all dynamic detection libs from 
/usr/local/lib/snort_dynamicrules
Mar 17 11:46:26 bht3hprp snort[31253]: Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor/...
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
Mar 17 11:46:26 bht3hprp snort[31253]: done
Mar 17 11:46:26 bht3hprp snort[31253]:   Finished Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor/
Mar 17 11:46:26 bht3hprp snort[31253]: Log directory = /var/log/snort Mar 17 11:46:26 bht3hprp snort[31253]: WARNING: 
ip4 normalizations disabled because not inline.
Mar 17 11:46:26 bht3hprp snort[31253]: WARNING: tcp normalizations disabled because not inline.
Mar 17 11:46:26 bht3hprp snort[31253]: WARNING: icmp4 normalizations disabled because not inline.
Mar 17 11:46:26 bht3hprp snort[31253]: WARNING: ip6 normalizations disabled because not inline.
Mar 17 11:46:26 bht3hprp snort[31253]: WARNING: icmp6 normalizations disabled because not inline.
Mar 17 11:46:26 bht3hprp snort[31253]: Frag3 global config:
Mar 17 11:46:26 bht3hprp snort[31253]:     Max frags: 65536
Mar 17 11:46:26 bht3hprp snort[31253]:     Fragment memory cap: 4194304 bytes
Mar 17 11:46:26 bht3hprp snort[31253]: Frag3 engine config:
Mar 17 11:46:26 bht3hprp snort[31253]:     Bound Address: default
Mar 17 11:46:26 bht3hprp snort[31253]:     Target-based policy: WINDOWS
Mar 17 11:46:26 bht3hprp snort[31253]:     Fragment timeout: 180 seconds
Mar 17 11:46:26 bht3hprp snort[31253]:     Fragment min_ttl:   1
Mar 17 11:46:26 bht3hprp snort[31253]:     Fragment Anomalies: Alert
Mar 17 11:46:26 bht3hprp snort[31253]:     Overlap Limit:     10
Mar 17 11:46:26 bht3hprp snort[31253]:     Min fragment Length:     100
Mar 17 11:46:26 bht3hprp snort[31253]: Stream5 global config:
Mar 17 11:46:26 bht3hprp snort[31253]:     Track TCP sessions: ACTIVE
Mar 17 11:46:26 bht3hprp snort[31253]:     Max TCP sessions: 262144
Mar 17 11:46:26 bht3hprp snort[31253]:     TCP cache pruning timeout: 30 seconds
Mar 17 11:46:26 bht3hprp snort[31253]:     TCP cache nominal timeout: 3600 seconds
Mar 17 11:46:26 bht3hprp snort[31253]:     Memcap (for reassembly packet storage): 8388608
Mar 17 11:46:26 bht3hprp snort[31253]:     Track UDP sessions: ACTIVE
Mar 17 11:46:26 bht3hprp snort[31253]:     Max UDP sessions: 131072
Mar 17 11:46:26 bht3hprp snort[31253]:     UDP cache pruning timeout: 30 seconds
Mar 17 11:46:26 bht3hprp snort[31253]:     UDP cache nominal timeout: 180 seconds
Mar 17 11:46:26 bht3hprp snort[31253]:     Track ICMP sessions: INACTIVE
Mar 17 11:46:26 bht3hprp snort[31253]:     Track IP sessions: INACTIVE
Mar 17 11:46:26 bht3hprp snort[31253]:     Log info if session memory consumption exceeds 1048576
Mar 17 11:46:26 bht3hprp snort[31253]:     Send up to 2 active responses
Mar 17 11:46:26 bht3hprp snort[31253]:     Wait at least 5 seconds between responses
Mar 17 11:46:26 bht3hprp snort[31253]:     Protocol Aware Flushing: ACTIVE
Mar 17 11:46:26 bht3hprp snort[31253]:         Maximum Flush Point: 16000
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Expected Streams: 768
Mar 17 11:46:26 bht3hprp snort[31253]: Stream5 TCP Policy config:
Mar 17 11:46:26 bht3hprp snort[31253]:     Bound Address: default
Mar 17 11:46:26 bht3hprp snort[31253]:     Reassembly Policy: WINDOWS
Mar 17 11:46:26 bht3hprp snort[31253]:     Timeout: 180 seconds
Mar 17 11:46:26 bht3hprp snort[31253]:     Limit on TCP Overlaps: 10
Mar 17 11:46:26 bht3hprp snort[31253]:     Maximum number of bytes to queue per session: 1048576
Mar 17 11:46:26 bht3hprp snort[31253]:     Maximum number of segs to queue per session: 2621
Mar 17 11:46:26 bht3hprp snort[31253]:     Options:
Mar 17 11:46:26 bht3hprp snort[31253]:         Require 3-Way Handshake: YES
Mar 17 11:46:26 bht3hprp snort[31253]:         3-Way Handshake Timeout: 180
Mar 17 11:46:26 bht3hprp snort[31253]:         Detect Anomalies: YES
Mar 17 11:46:26 bht3hprp snort[31253]:     Reassembly Ports:
Mar 17 11:46:26 bht3hprp snort[31253]:       21 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       22 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       23 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       25 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       42 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       53 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       79 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       80 client (Footprint) server (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       81 client (Footprint) server (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       109 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       110 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       111 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       113 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       119 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       135 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       136 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       137 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       139 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       143 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       161 client (Footprint)
Mar 17 11:46:26 bht3hprp snort[31253]:       additional ports configured but not printed.
Mar 17 11:46:26 bht3hprp snort[31253]: Stream5 UDP Policy config:
Mar 17 11:46:26 bht3hprp snort[31253]:     Timeout: 180 seconds
Mar 17 11:46:26 bht3hprp snort[31253]: HttpInspect Config:
Mar 17 11:46:26 bht3hprp snort[31253]:     GLOBAL CONFIG
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Pipeline Requests:    0
Mar 17 11:46:26 bht3hprp snort[31253]:       Inspection Type:          STATELESS
Mar 17 11:46:26 bht3hprp snort[31253]:       Detect Proxy Usage:       NO
Mar 17 11:46:26 bht3hprp snort[31253]:       IIS Unicode Map Filename: /etc/snort/unicode.map
Mar 17 11:46:26 bht3hprp snort[31253]:       IIS Unicode Map Codepage: 1252
Mar 17 11:46:26 bht3hprp snort[31253]:       Memcap used for logging URI and Hostname: 150994944
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Gzip Memory: 838860
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Gzip Sessions: 5518
Mar 17 11:46:26 bht3hprp snort[31253]:       Gzip Compress Depth: 65535
Mar 17 11:46:26 bht3hprp snort[31253]:       Gzip Decompress Depth: 65535
Mar 17 11:46:26 bht3hprp snort[31253]:     DEFAULT SERVER CONFIG:
Mar 17 11:46:26 bht3hprp snort[31253]:       Server profile: All
Mar 17 11:46:26 bht3hprp snort[31253]:       Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 
4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 
9091 9443 9999 11371 55555
Mar 17 11:46:26 bht3hprp snort[31253]:       Server Flow Depth: 0
Mar 17 11:46:26 bht3hprp snort[31253]:       Client Flow Depth: 0
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Chunk Length: 500000
Mar 17 11:46:26 bht3hprp snort[31253]:       Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Header Field Length: 750
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Number Header Fields: 100
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Number of WhiteSpaces allowed with header folding: 0
Mar 17 11:46:26 bht3hprp snort[31253]:       Inspect Pipeline Requests: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       URI Discovery Strict Mode: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Allow Proxy Usage: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Disable Alerting: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Oversize Dir Length: 500
Mar 17 11:46:26 bht3hprp snort[31253]:       Only inspect URI: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Normalize HTTP Headers: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Inspect HTTP Cookies: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       Inspect HTTP Responses: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       Extract Gzip from responses: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       Unlimited decompression of gzip data from responses: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       Normalize Javascripts in HTTP Responses: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       Max Number of WhiteSpaces allowed with Javascript Obfuscation in HTTP 
responses: 200
Mar 17 11:46:26 bht3hprp snort[31253]:       Normalize HTTP Cookies: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Enable XFF and True Client IP: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Log HTTP URI data: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Log HTTP Hostname data: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Extended ASCII code support in URI: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Ascii: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Double Decoding: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       %U Encoding: YES alert: YES
Mar 17 11:46:26 bht3hprp snort[31253]:       Bare Byte: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       UTF 8: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       IIS Unicode: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Multiple Slash: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       IIS Backslash: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Directory Traversal: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Web Root Traversal: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       Apache WhiteSpace: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       IIS Delimiter: YES alert: NO
Mar 17 11:46:26 bht3hprp snort[31253]:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Mar 17 11:46:26 bht3hprp snort[31253]:       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
Mar 17 11:46:26 bht3hprp snort[31253]:       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Mar 17 11:46:26 bht3hprp snort[31253]: rpc_decode arguments:
Mar 17 11:46:26 bht3hprp snort[31253]:     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 
32778 32779
Mar 17 11:46:26 bht3hprp snort[31253]:     alert_fragments: INACTIVE


-----Original Message-----
From: Russ Combs (rucombs) [mailto:rucombs () cisco com]
Sent: Monday, March 17, 2014 11:41 AM
To: Vona, Steven A CIV NSWCCD Philadelphia, 34117; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

Can you send the output surrounding the "ERROR"?  There should be more context to that.

Thanks
Russ

________________________________________
From: Vona, Steven A CIV NSWCCD Philadelphia, 34117 [steven.vona () navy mil]
Sent: Monday, March 17, 2014 11:19 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Services Failed to Start

I deleted the preprocessor directory as suggested.

rm -rf /usr/local/lib/snort/_dynamicpreprocessor/*

I reinstalled and the directory is not repopulated, but I am receiving the same error.

Thanks in advance for your help!


-----Original Message-----
From: Vona, Steven A CIV NSWCCD Philadelphia, 34117
Sent: Friday, March 14, 2014 8:24 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort Services Failed to Start

Can you please tell me exactly how to do this?  I found an old article that suggested the same thing but I am unsure of 
exactly how this is done.


-----Original Message-----
From: Joel Esler (jesler) [mailto:jesler () cisco com]
Sent: Wednesday, March 12, 2014 12:40 PM
To: Vona, Steven A CIV NSWCCD Philadelphia, 34117
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort Services Failed to Start

Looks like you may need to clean out your old preprocessors, (2.9.5.5) and replace them 2.9.6.0.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team


On Mar 12, 2014, at 11:50 AM, Vona, Steven A CIV NSWCCD Philadelphia, 34117 <steven.vona () navy mil> wrote:


        I recently updated my snort from 2.9.5.5 to 2.9.6.0 and now I am receiving a rather cryptic error message.

        snortERROR size 840 != 864

        Can anyone point me to what may cause this?  Any additional information needed please let me know.

        Thanks in advance.
        ------------------------------------------------------------------------------
        Learn Graph Databases - Download FREE O'Reilly Book
        "Graph Databases" is the definitive new guide to graph databases and their
        applications. Written by three acclaimed leaders in the field,
        this first edition is now available. Download your free book today!
        http://p.sf.net/sfu/13534_NeoTech_______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

        Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Re: Snort Services Failed to Start, (continued)
- - - Re: Snort Services Failed to Start waldo kitty (Mar 14)
  - Re: Snort Services Failed to Start Vona, Steven A CIV NSWCCD Philadelphia, 34117 (Mar 17)
    - Re: Snort Services Failed to Start Russ Combs (rucombs) (Mar 17)
    - Re: Snort Services Failed to Start Vona, Steven A CIV NSWCCD Philadelphia, 34117 (Mar 17)
    - Re: Snort Services Failed to Start Russ Combs (rucombs) (Mar 17)
    - Re: Snort Services Failed to Start Vona, Steven A CIV NSWCCD Philadelphia, 34117 (Mar 17)
    - Re: Snort Services Failed to Start Russ Combs (rucombs) (Mar 17)
    - Re: Snort Services Failed to Start Vona, Steven A CIV NSWCCD Philadelphia, 34117 (Mar 17)
    - Re: Snort Services Failed to Start Russ Combs (rucombs) (Mar 17)
    - Re: Snort Services Failed to Start Vona, Steven A CIV NSWCCD Philadelphia, 34117 (Mar 17)
    - Re: Snort Services Failed to Start Russ Combs (rucombs) (Mar 17)
    - Re: Snort Services Failed to Start Vona, Steven A CIV NSWCCD Philadelphia, 34117 (Mar 17)
    - Re: Snort Services Failed to Start waldo kitty (Mar 17)
    - Re: Snort Services Failed to Start waldo kitty (Mar 17)