Snort mailing list archives

Re: community.rules file - failure error during restart or start of snort

From: "Farnsworth, Robert" <robert.farnsworth () hp com>
Date: Wed, 30 Apr 2014 19:21:48 +0000

Here's the /var/adm/messages tailed output 100 lines from today 

Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24927, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24926, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24925, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24940, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24939, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24938, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24937, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24936, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24935, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24934, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24933, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24948, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24947, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24946, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24945, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24944, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24943, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24942, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24941, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24954, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24953, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24952, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24951, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24950, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24949, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24924, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24923, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24922, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24921, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24920, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 24919, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25501, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25500, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25499, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25482, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25481, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25480, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25490, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25489, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25488, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25487, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25486, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25485, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25484, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25483, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25498, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25497, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25496, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25495, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25494, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25493, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25492, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Encoded Rule Plugin SID: 25491, GID: 3 not registered 
properly.  Disabling this rule.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] Verifying Preprocessor Configurations!
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] TCP tracking disabled, no TCP sessions allocated
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] ICMP tracking disabled, no ICMP sessions allocated
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] IP tracking disabled, no IP sessions allocated
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] WARNING: flowbits key 'telnet.ruggedcom' is set but not 
ever checked.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] WARNING: flowbits key 'smb.query_sec_desc' is set but 
not ever checked.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] WARNING: flowbits key 'file.jpeg' is checked but not 
ever set.
Apr 30 14:49:53 serverx snort[23007]: [ID 702911 daemon.notice] 5 out of 1024 flowbits in use.
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice]
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] [ Port Based Pattern Matching Memory ]
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] +- [ Aho-Corasick Summary ] 
-------------------------------------
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Storage Format    : Full-Q
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Finite Automaton  : DFA
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Alphabet Size     : 256 Chars
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Sizeof State      : Variable (1,2,4 bytes)
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Instances         : 38
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |     1 byte states : 35
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |     2 byte states : 3
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |     4 byte states : 0
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Characters        : 4866
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | States            : 3630
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Transitions       : 48312
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | State Density     : 5.2%
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Patterns          : 315
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Match States      : 274
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] | Memory (MB)       : 1.78
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |   Patterns        : 0.02
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |   Match Lists     : 0.03
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |   DFA
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |     1 byte states : 0.15
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |     2 byte states : 1.50
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] |     4 byte states : 0.00
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] 
+----------------------------------------------------------------
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] [ Number of patterns truncated to 20 bytes: 12 ]
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] pcap DAQ configured to passive.
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] Acquiring network traffic from "e1000g5".
Apr 30 14:49:55 serverx snort[23007]: [ID 702911 daemon.notice] Initializing daemon mode
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Daemon initialized, signaled parent pid: 23007
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Reload thread starting...
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Reload thread started, thread 2 (23008)
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Decoding Ethernet
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Checking PID path...
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] PID path stat checked out ok, PID path set to /var/run/
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Writing PID "23008" to file 
"/var/run//snort_e1000g5.pid"
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice]
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice]         --== Initialization Complete ==--
Apr 30 14:49:55 serverx snort[23008]: [ID 702911 daemon.notice] Commencing packet processing (pid=23008)

-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net] 
Sent: Wednesday, April 30, 2014 3:14 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] community.rules file - failure error during restart or start of snort

On 4/30/2014 2:48 PM, Farnsworth, Robert wrote:

This is the complete output.

135 serverx /usr/local/snort/etc$ /etc/init.d/snort_rc restart

Stopping Snort: success

Starting Snort: failure

136 serverx /usr/local/snort/etc$

that's the output from the startup script... we need to see the /snort/ output... you should find it in your logs... if
you are running on *nix, you should find it in your /var/log/messages file there may be several hundred lines... we
only need to see maybe the last 20 of the snort related entries...
the following might be helpful...

grep -iE "snort\[" /var/log/messages | tail -n 20

--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+
browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)
- Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
  - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort waldo kitty (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Michael Brown (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort waldo kitty (Apr 30)
    - Re: community.rules file - failure error during restart or start of snort Farnsworth, Robert (May 01)
    - Re: community.rules file - failure error during restart or start of snort Joel Esler (jesler) (Apr 30)

(Thread continues...)