Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Snort 2.6 cant start

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort 2.6 cant start


Posted by tnowak on June 08, 2006 23:20:32

I made upgrade snort from 2.4 to 2.6 and Snort cant start.
Messages from /var/log/messages

Jun 9 09:03:57 fire snort[17848]: Ports to decode telnet on: 21 23 25 119
Jun 9 09:03:57 fire snort[17848]: Portscan Detection Config:
Jun 9 09:03:57 fire snort[17848]: Detect Protocols: TCP UDP ICMP IP
Jun 9 09:03:57 fire snort[17848]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Jun 9 09:03:57 fire snort[17848]: Sensitivity Level: Low
Jun 9 09:03:57 fire snort[17848]: Memcap (in bytes): 10000000
Jun 9 09:03:57 fire snort[17848]: Number of Nodes: 36900
Jun 9 09:03:57 fire snort[17848]:
Jun 9 09:05:16 fire snort[18433]: Parsing Rules file /etc/snort/snort.conf
Jun 9 09:05:16 fire snort[18433]: Var 'EXTERNAL_NET' defined, value len = 3 chars
Jun 9 09:05:16 fire snort[18433]: , value = any
Jun 9 09:05:16 fire snort[18433]: Var 'NONE_NET' defined, value len = 12 chars
Jun 9 09:05:16 fire snort[18433]: , value = [0.0.0.0/32]
Jun 9 09:05:16 fire snort[18433]: Var 'DNS_SERVERS' defined, value len = 13 chars
Jun 9 09:05:16 fire snort[18433]: , value = [10.0.0.0/24]
Jun 9 09:05:16 fire snort[18433]: Var 'SMTP_SERVERS' defined, value len = 13 chars
Jun 9 09:05:16 fire snort[18433]: , value = [10.0.0.0/24]
Jun 9 09:05:16 fire snort[18433]: Var 'HTTP_SERVERS' defined, value len = 13 chars
Jun 9 09:05:16 fire snort[18433]: , value = [10.0.0.0/24]
Jun 9 09:05:16 fire snort[18433]: Var 'SQL_SERVERS' defined, value len = 13 chars
Jun 9 09:05:16 fire snort[18433]: , value = [10.0.0.0/24]
Jun 9 09:05:16 fire snort[18433]: Var 'TELNET_SERVERS' defined, value len = 12 chars
Jun 9 09:05:16 fire snort[18433]: , value = [0.0.0.0/32]
Jun 9 09:05:16 fire snort[18433]: Var 'SNMP_SERVERS' defined, value len = 12 chars
Jun 9 09:05:16 fire snort[18433]: , value = [0.0.0.0/32]
Jun 9 09:05:16 fire snort[18433]: Var 'HTTP_PORTS' defined, value len = 2 chars
Jun 9 09:05:16 fire snort[18433]: , value = 80
Jun 9 09:05:16 fire snort[18433]: Var 'SHELLCODE_PORTS' defined, value len = 3 chars
Jun 9 09:05:16 fire snort[18433]: , value = !80
Jun 9 09:05:16 fire snort[18433]: Var 'ORACLE_PORTS' defined, value len = 4 chars
Jun 9 09:05:16 fire snort[18433]: , value = 1521
Jun 9 09:05:16 fire snort[18433]: Var 'AIM_SERVERS' defined, value len = 185 chars
Jun 9 09:05:16 fire snort[18433]:
Jun 9 09:05:16 fire snort[18433]: [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
Jun 9 09:05:16 fire snort[18433]: .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Jun 9 09:05:16 fire snort[18433]: Var 'RULE_PATH' defined, value len = 16 chars
Jun 9 09:05:16 fire snort[18433]: , value = /etc/snort/rules
Jun 9 09:05:16 fire snort[18433]: ,-----------[Flow Config]----------------------
Jun 9 09:05:16 fire snort[18433]: | Stats Interval: 0
Jun 9 09:05:16 fire snort[18433]: | Hash Method: 2
Jun 9 09:05:16 fire snort[18433]: | Memcap: 10485760
Jun 9 09:05:16 fire snort[18433]: | Rows : 4099
Jun 9 09:05:16 fire snort[18433]: | Overhead Bytes: 16400(%0.16)
Jun 9 09:05:16 fire snort[18433]: `----------------------------------------------
Jun 9 09:05:16 fire snort[18433]: Frag3 global config:
Jun 9 09:05:16 fire snort[18433]: Max frags: 65536
Jun 9 09:05:16 fire snort[18433]: Fragment memory cap: 4194304 bytes
Jun 9 09:05:16 fire snort[18433]: Frag3 engine config:
Jun 9 09:05:16 fire snort[18433]: Target-based policy: FIRST
Jun 9 09:05:16 fire snort[18433]: Fragment timeout: 60 seconds
Jun 9 09:05:16 fire snort[18433]: Fragment min_ttl: 1
Jun 9 09:05:16 fire snort[18433]: Fragment ttl_limit: 5
Jun 9 09:05:16 fire snort[18433]: Fragment Problems: 1
Jun 9 09:05:16 fire snort[18433]: Bound Addresses: 0.0.0.0/0.0.0.0
Jun 9 09:05:16 fire snort[18433]: Stream4 config:
Jun 9 09:05:16 fire snort[18433]: Stateful inspection: ACTIVE
Jun 9 09:05:16 fire snort[18433]: Session statistics: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Session timeout: 30 seconds
Jun 9 09:05:16 fire snort[18433]: Session memory cap: 8388608 bytes
Jun 9 09:05:16 fire snort[18433]: Session count max: 8192 sessions
Jun 9 09:05:16 fire snort[18433]: Session cleanup count: 5
Jun 9 09:05:16 fire snort[18433]: State alerts: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Evasion alerts: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Scan alerts: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Log Flushed Streams: INACTIVE
Jun 9 09:05:16 fire snort[18433]: MinTTL: 1
Jun 9 09:05:16 fire snort[18433]: TTL Limit: 5
Jun 9 09:05:16 fire snort[18433]: Async Link: 0
Jun 9 09:05:16 fire snort[18433]: State Protection: 0
Jun 9 09:05:16 fire snort[18433]: Self preservation threshold: 50
Jun 9 09:05:16 fire snort[18433]: Self preservation period: 90
Jun 9 09:05:16 fire snort[18433]: Suspend threshold: 200
Jun 9 09:05:16 fire snort[18433]: Suspend period: 30
Jun 9 09:05:16 fire snort[18433]: Enforce TCP State: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Midstream Drop Alerts: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Server Data Inspection Limit: -1
Jun 9 09:05:16 fire snort[18433]: WARNING /etc/snort/snort.conf(374) => flush_behavior set in config file, using old static flushpoints (0)
Jun 9 09:05:16 fire snort[18433]: Stream4_reassemble config:
Jun 9 09:05:16 fire snort[18433]: Server reassembly: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Client reassembly: ACTIVE
Jun 9 09:05:16 fire snort[18433]: Reassembler alerts: ACTIVE
Jun 9 09:05:16 fire snort[18433]: Zero out flushed packets: INACTIVE
Jun 9 09:05:16 fire snort[18433]: Flush stream on alert: INACTIVE
Jun 9 09:05:16 fire snort[18433]: flush_data_diff_size: 500
Jun 9 09:05:16 fire snort[18433]: Reassembler Packet Preferance : Favor Old
Jun 9 09:05:16 fire snort[18433]: Packet Sequence Overlap Limit: -1
Jun 9 09:05:16 fire snort[18433]: Flush behavior: Small (<255 bytes)
Jun 9 09:05:16 fire snort[18433]: Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Jun 9 09:05:16 fire snort[18433]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Jun 9 09:05:16 fire snort[18433]: HttpInspect Config:
Jun 9 09:05:16 fire snort[18433]: GLOBAL CONFIG
Jun 9 09:05:16 fire snort[18433]: Max Pipeline Requests: 0
Jun 9 09:05:16 fire snort[18433]: Inspection Type: STATELESS
Jun 9 09:05:16 fire snort[18433]: Detect Proxy Usage: NO
Jun 9 09:05:16 fire snort[18433]: IIS Unicode Map Filename: /etc/snort/unicode.map
Jun 9 09:05:16 fire snort[18433]: IIS Unicode Map Codepage: 1252
Jun 9 09:05:16 fire snort[18433]: DEFAULT SERVER CONFIG:
Jun 9 09:05:16 fire snort[18433]: Ports: 80
Jun 9 09:05:16 fire snort[18433]: Flow Depth: 300
Jun 9 09:05:16 fire snort[18433]: Max Chunk Length: 500000
Jun 9 09:05:16 fire snort[18433]: Inspect Pipeline Requests: YES
Jun 9 09:05:16 fire snort[18433]: URI Discovery Strict Mode: NO
Jun 9 09:05:16 fire snort[18433]: Allow Proxy Usage: NO
Jun 9 09:05:16 fire snort[18433]: Disable Alerting: NO
Jun 9 09:05:16 fire snort[18433]: Oversize Dir Length: 500
Jun 9 09:05:16 fire snort[18433]: Only inspect URI: NO
Jun 9 09:05:16 fire snort[18433]: Ascii: YES alert: NO
Jun 9 09:05:16 fire snort[18433]: Double Decoding: OFF
Jun 9 09:05:16 fire snort[18433]: %U Encoding: OFF
Jun 9 09:05:16 fire snort[18433]: Bare Byte: OFF
Jun 9 09:05:16 fire snort[18433]: Base36: OFF
Jun 9 09:05:16 fire snort[18433]: UTF 8: YES alert: NO
Jun 9 09:05:16 fire snort[18433]: IIS Unicode: OFF
Jun 9 09:05:16 fire snort[18433]: Multiple Slash: YES alert: NO
Jun 9 09:05:16 fire snort[18433]: IIS Backslash: OFF
Jun 9 09:05:16 fire snort[18433]: Directory Traversal: YES alert: NO
Jun 9 09:05:16 fire snort[18433]: Web Root Traversal: YES alert: YES
Jun 9 09:05:16 fire snort[18433]: Apache WhiteSpace: YES alert: NO
Jun 9 09:05:16 fire snort[18433]: IIS Delimiter: OFF
Jun 9 09:05:16 fire snort[18433]: IIS Unicode Map: NOT CONFIGURED
Jun 9 09:05:16 fire snort[18433]: Non-RFC Compliant Characters: NONE
Jun 9 09:05:16 fire snort[18433]: rpc_decode arguments:
Jun 9 09:05:16 fire snort[18433]: Ports to decode RPC on: 111 32771
Jun 9 09:05:16 fire snort[18433]: alert_fragments: INACTIVE
Jun 9 09:05:16 fire snort[18433]: alert_large_fragments: ACTIVE
Jun 9 09:05:16 fire snort[18433]: alert_incomplete: ACTIVE
Jun 9 09:05:16 fire snort[18433]: alert_multiple_requests: ACTIVE
Jun 9 09:05:16 fire snort[18433]: WARNING: the telnet preprocessor will be deprecated in the next release of snort. Please switch to using ftptelnet.
Jun 9 09:05:16 fire snort[18433]: telnet_decode arguments:
Jun 9 09:05:16 fire snort[18433]: Ports to decode telnet on: 21 23 25 119
Jun 9 09:05:16 fire snort[18433]: Portscan Detection Config:
Jun 9 09:05:16 fire snort[18433]: Detect Protocols: TCP UDP ICMP IP
Jun 9 09:05:16 fire snort[18433]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Jun 9 09:05:16 fire snort[18433]: Sensitivity Level: Low
Jun 9 09:05:16 fire snort[18433]: Memcap (in bytes): 10000000
Jun 9 09:05:16 fire snort[18433]: Number of Nodes: 36900
Jun 9 09:05:16 fire snort[18433]:

This is the end of logs...

Have you any ideas ?

Posted by docjag on June 22, 2006 07:17:50

Sound like you have the memory hogging version. Try enableing the option "config detection: search-method lowmem" in your snort.conf file. Next run snort in test mode using the command "snort -T -c /etc/snort/snort.conf" to test the configuration before actually running snort in daemon mode. If it works, great. If not, it was worth a try.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.