Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Unknown rule type: dynamicpreprocessor

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Unknown rule type: dynamicpreprocessor


Posted by omegasox on June 07, 2006 13:18:25

/var/log/messages:


Jun 7 14:33:37 reki snort[16702]: Parsing Rules file /etc/snort/snort.conf
Jun 7 14:33:37 reki snort[16702]: Var 'EXTERNAL_NET' defined, value len = 13 chars
Jun 7 14:33:37 reki snort[16702]: , value = !10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'DNS_SERVERS' defined, value len = 12 chars
Jun 7 14:33:37 reki snort[16702]: , value = 10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'SMTP_SERVERS' defined, value len = 12 chars
Jun 7 14:33:37 reki snort[16702]: , value = 10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'HTTP_SERVERS' defined, value len = 12 chars
Jun 7 14:33:37 reki snort[16702]: , value = 10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'SQL_SERVERS' defined, value len = 12 chars
Jun 7 14:33:37 reki snort[16702]: , value = 10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'TELNET_SERVERS' defined, value len = 12 chars
Jun 7 14:33:37 reki snort[16702]: , value = 10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'SNMP_SERVERS' defined, value len = 12 chars
Jun 7 14:33:37 reki snort[16702]: , value = 10.24.0.0/16
Jun 7 14:33:37 reki snort[16702]: Var 'HTTP_PORTS' defined, value len = 2 chars
Jun 7 14:33:37 reki snort[16702]: , value = 80
Jun 7 14:33:37 reki snort[16702]: Var 'SHELLCODE_PORTS' defined, value len = 3 chars
Jun 7 14:33:37 reki snort[16702]: , value = !80
Jun 7 14:33:37 reki snort[16702]: Var 'ORACLE_PORTS' defined, value len = 4 chars
Jun 7 14:33:37 reki snort[16702]: , value = 1521
Jun 7 14:33:37 reki snort[16702]: Var 'AIM_SERVERS' defined, value len = 185 chars
Jun 7 14:33:37 reki snort[16702]:
Jun 7 14:33:37 reki snort[16702]: [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
Jun 7 14:33:37 reki snort[16702]: .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Jun 7 14:33:37 reki snort[16702]: Var 'RULE_PATH' defined, value len = 16 chars
Jun 7 14:33:37 reki snort[16702]: , value = /etc/snort/rules
Jun 7 14:33:37 reki snort[16702]: FATAL ERROR: /etc/snort/snort.conf(182) => Unknown rule type: dynamicpreprocessor
Jun 7 14:33:38 reki pidof:
Jun 7 14:33:38 reki snort: failed



How can I get this to work properly? Using 2.6.0 and the current ruleset.

Posted by snort_man on June 27, 2006 08:58:41

Same problem here. Any answers? I did run ./configure --with-mysql --enable-dynamicplugin and all the directories and files are in the right place.

Posted by dsegel on July 03, 2006 07:20:18

Check in the /usr/local/lib/snort_dynamicengine and snort_dynamicpreprocessor directories for a proper symbolic link to the libraries. If it doesn't exist, do this:

cd /usr/local/lib/snort_dynamicengine
ln -s libsf_engine.so.0.0 libsf_engine.so

cd /usr/local/lib/snort_dynamicpreprocessor
ln -s libsf_ftptelnet_preproc.so.0.0 libsf_ftptelnet_preproc.so
ln -s libsf_smtp_preproc.so.0.0 libsf_smtp_preproc.so

Change the directory as appropriate depending on where you installed things.

Posted by wifi on July 03, 2006 14:15:05

I had the same problem..

After deleting snort, and doing a 'make clean" 1st and than a reinstall (with the "--with-mysql --enable-dynamicplugin" option) I got it working on my Debian Sarge system!

Posted by lizf on July 12, 2006 09:11:18

I have the same problem when using the conf file. Unknown rule type: dynamicpreprocessor. I've already checked all the symbolic links and they are properly pointing to the right place. I've even deleted snort done a "make clean" and reinstalled with the --enable-dynamicplugin to no avail.

I'm using RHEL 3 with updates.

I have been able to get the dynamicplugins to work if I call them from the command line instead of in the conf file. I would really like to get this working from the conf file instead of the command line.

Any help is appreciated.

Posted by lizf on July 12, 2006 11:22:05

Okay I've got it working now. Don't know if it will help anyone else but here is what I did.

./configure --enable-dynamicplugin
make
(also did a "make check" and "libtool --finish /usr/local/lib/snort_dynamicpreprocessor" things I found on a differnt thread in the forum, but I'm not sure they helped or not)
make install

Then in my snort.conf file I made sure the following line was NOT commented out.
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
This should load all the dynamicpreprocessors in that directory.

Then I also made sure the following lines were commented out, they are by default.
dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
dynamicpreprocessor
dynamicpreprocessor

Then ran snort with my modified snort.conf and it worked.

I also figured out that if you want to just specify specific dynamicpreprocessors such as only ftptelnet or smtp that you need to comment out the dynamicpreprocessor directory specifier. Then change the dyanmicpreprocessor to look like:
dynamicpreprocessor file /your/path/here/libsf_ftptelnet_preproc.so

My lines look like:

dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so

Hope that helps someone else.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.