[Snort-users] Re: snort-2.1.0 upgrade error

Nevermind, I fixed my problems.

Peggy Kam wrote:

> Hi,
>
> I am currently having trouble upgrading from snort-2.0.4 to
> snort-2.1.0. I am not able to start snort and I get the following
> error in the syslog:
>
> Feb 5 13:40:21 ndsapp su(pam_unix)[31698]: session opened for user
> root by koadmin(uid=500)
> Feb 5 13:40:36 ndsapp snort: Initializing daemon mode
> Feb 5 13:40:36 ndsapp snort: PID path stat checked out ok, PID path
> set to /var/run/
> Feb 5 13:40:36 ndsapp snort: Writing PID "31746" to file
> "/var/run//snort_eth1.pid"
> Feb 5 13:40:36 ndsapp snort: FATAL ERROR:
> /prod/etc/snort/snort.conf(285) => Invalid file name for IIS Unicode
> Map file.
>
> And when I run snort without -D flag, I get:
>
> Starting Intrusion Database System: SNORT
> Running in IDS mode
> Log directory = /var/log/snort
>
> Initializing Network Interface eth1
>
> --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth1
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /prod/etc/snort/snort.conf
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++ +
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
> Fragment timeout: 60 seconds
> Fragment memory cap: 4194304 bytes
> Fragment min_ttl: 0
> Fragment ttl_limit: 5
> Fragment Problems: 0
> Self preservation threshold: 500
> Self preservation period: 90
> Suspend threshold: 1000
> Suspend period: 30
> Stream4 config:
> Stateful inspection: ACTIVE
> Session statistics: INACTIVE
> Session timeout: 30 seconds
> Session memory cap: 8388608 bytes
> State alerts: INACTIVE
> Evasion alerts: INACTIVE
> Scan alerts: INACTIVE
> Log Flushed Streams: INACTIVE
> MinTTL: 1
> TTL Limit: 5
> Async Link: 0
> State Protection: 0
> Self preservation threshold: 50
> Self preservation period: 90
> Suspend threshold: 200
> Suspend period: 30
> Stream4_reassemble config:
> Server reassembly: INACTIVE
> Client reassembly: ACTIVE
> Reassembler alerts: ACTIVE
> Zero out flushed packets: INACTIVE
> flush_data_diff_size: 500
> Ports: 21 23 25 53 80 110 111 143 513 1433
> Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> ERROR: /prod/etc/snort/snort.conf(285) => Invalid file name for IIS
> Unicode Map file.
> Fatal Error, Quitting..
>
>
>
>
>
> I have already updated my config files and the rulesets.
>
> When I try /prod/bin/snort -V:
>
> I get
> -*> Snort! <*-
> Version 2.1.0 (Build 9)
> By Martin Roesch (roesch@sourcefire.com, www.snort.org)
>
>
>
> When I try /prod/bin/snort -T:
>
> I get:
>
> -*> Snort! <*-
> Version 2.1.0 (Build 9)
> By Martin Roesch (roesch@sourcefire.com, www.snort.org)
> USAGE: /prod/bin/snort [-options] <filter options>
> Options:
> -A Set alert mode: fast, full, console, or none (alert
> file alerts only)
> "unsock" enables UNIX socket logging (experimental).
> -b Log packets in tcpdump format (much faster!)
> -c <rules> Use Rules File <rules>
> -C Print out payloads with character data only (no hex)
> -d Dump the Application Layer
> -D Run Snort in background (daemon) mode
> -e Display the second layer header info
> -f Turn off fflush() calls after binary log writes
> -F <bpf> Read BPF filters from file <bpf>
> -g <gname> Run snort gid as <gname> group (or gid) after
> initialization
> -h <hn> Home network = <hn>
> -i <if> Listen on interface <if>
> -I Add Interface name to alert output
> -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
> -l <ld> Log to directory <ld>
> -L <file> Log to this tcpdump file
> -m <umask> Set umask = <umask>
> -n <cnt> Exit after receiving <cnt> packets
> -N Turn off logging (alerts still work)
> -o Change the rule testing order to Pass|Alert|Log
> -O Obfuscate the logged IP addresses
> -p Disable promiscuous mode sniffing
> -P <snap> Set explicit snaplen of packet (default: 1514)
> -q Quiet. Don't show banner and status report
> -r <tf> Read and process tcpdump file <tf>
> -R <id> Include 'id' in snort_intf<id>.pid file name
> -s Log alert messages to syslog
> -S <n=v> Set rules file variable n equal to value v
> -t <dir> Chroots process to <dir> after initialization
> -T Test and report on the current Snort configuration
> -u <uname> Run snort uid as <uname> user (or uid) after
> initialization
> -U Use UTC for timestamps
> -v Be verbose
> -V Show version number
> -w Dump 802.11 management and control frames
> -X Dump the raw packet data starting at the link layer
> -y Include year in timestamp in the alert and log files
> -z Set assurance mode, match on established sesions
> (for TCP)
> -? Show this information
> <Filter Options> are standard BPF options, as seen in TCPDump
>
>
> Uh, you need to tell me to do something...
>
> : No such file or directory
>
>
>
> Does anyone have any clue how to fix this error?
>
> Thanks in advance,
> Peggy
>



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users