Snort mailing list archives
Re: snort 2.9.9.0 error
From: "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>
Date: Fri, 13 Jan 2017 14:23:10 +0000
This line controls which SWF file decompression algorithms are enabled. By default, Snort is built with ZLIB (deflate) decompression libraries, but NOT LZMA libraries. Specifying LZMA on this config line results in a config parsing error as without LZMA included, the LZMA keyword is unknown to the parser. There is a pending bug to improve the parsing logic and produce a better error if/when the keyword is present but without LZMA support. You can hashout (i.e. remove) this config line, but this will also remove the ZLIB/deflate file decompression mode also. Removing the LZMA keyword will fix the parsing error but leave the deflate mode enabled. Ed Borgoyn Cisco Snort Development Team From: Michael Steele <michaels () winsnort com> Date: Friday, January 13, 2017 at 8:45 AM To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Subject: Re: [Snort-users] snort 2.9.9.0 error What is the reason for changing the line below, shouldn’t it just be hashed out? 325: decompress_swf { deflate lzma } \ 325: decompress_swf { deflate } \ Kindest regards, Michael... WINSNORT.com Management Team Member -- ****************** Established ~ 2001 ******************* * Visit Us @ http://www.winsnort.com * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - http://www.snort.org * ********************************************************* From: Kumarswamy H N (kumhn) [mailto:kumhn () cisco com] Sent: Friday, January 13, 2017 4:29 AM To: Mojtaba Haghighipour <moj.haghighipour () gmail com>; Michael Steele <michaels () winsnort com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort 2.9.9.0 error Either you can install lzma package or change the line 325 to decompress_swf { deflate } \ From: Mojtaba Haghighipour [mailto:moj.haghighipour () gmail com] Sent: Friday, January 13, 2017 2:42 PM To: Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>> Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] snort 2.9.9.0 error it's my 325 and 326 line.. 325: decompress_swf { deflate lzma } \ 326: decompress_pdf { deflate } what should I do now?? On Fri, Jan 13, 2017 at 12:39 AM, Michael Steele <michaels () winsnort com<mailto:michaels () winsnort com>> wrote: This has been around for months and should displayed as a warning and not a fatal error. Kindest regards, Michael... WINSNORT.com Management Team Member -- ****************** Established ~ 2001 ******************* * Visit Us @ http://www.winsnort.com * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - http://www.snort.org * ********************************************************* From: Ed Borgoyn (eborgoyn) [mailto:eborgoyn () cisco com<mailto:eborgoyn () cisco com>] Sent: Thursday, January 12, 2017 12:52 PM To: Jim Campbell <jim () w4bqp net<mailto:jim () w4bqp net>>; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] snort 2.9.9.0 error Does line 326 of snort.conf look like: decompress_swf { deflate lzma } If so, then try removing the ‘lzma’ keyword. If snort is not built with the LZMA libraries for LZMA SWF file decompression, then this keyword will lead to a syntax error. Ed Borgoyn Cisco Snort Development Team From: Jim Campbell <jim () w4bqp net<mailto:jim () w4bqp net>> Date: Thursday, January 12, 2017 at 12:20 PM To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] snort 2.9.9.0 error It's telling you that line 326 of snort.conf has an error. Perhaps a mismatched or out of place '}' On 1/12/2017 2:28 AM, Mojtaba Haghighipour wrote: hi ... it's error when I run snort with command: snort -c /etc/snort/rules/etc/snort.conf ERROR: /etc/snort/rules/etc/snort.conf(326) => Invalid keyword '}' for server configuration. Fatal Error, Quitting.. Please help me.. ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort 2.9.9.0 error Mojtaba Haghighipour (Jan 11)
- Re: snort 2.9.9.0 error Jim Campbell (Jan 12)
- Re: snort 2.9.9.0 error Ed Borgoyn (eborgoyn) (Jan 12)
- Re: snort 2.9.9.0 error Michael Steele (Jan 12)
- Re: snort 2.9.9.0 error Mojtaba Haghighipour (Jan 13)
- Re: snort 2.9.9.0 error Kumarswamy H N (kumhn) (Jan 13)
- Re: snort 2.9.9.0 error Michael Steele (Jan 13)
- Re: snort 2.9.9.0 error Mojtaba Haghighipour (Jan 13)
- Re: snort 2.9.9.0 error Ed Borgoyn (eborgoyn) (Jan 13)
- Re: snort 2.9.9.0 error Ed Borgoyn (eborgoyn) (Jan 12)
- Re: snort 2.9.9.0 error Jim Campbell (Jan 12)
- Re: snort 2.9.9.0 error wkitty42 (Jan 13)