[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] After updating preprocessors trouble.
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2015-11-13 17:22:29
Message-ID: 566AFF47-B829-4124-B873-6606F7A903D3 () cisco ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
This generally means that you have an older version of Snort preprocessor installed \
with a newer version of Snort.
You need to uninstall the old version of Snort and it's preprocessors before you \
attempt to run the new one.
--
Joel Esler
Manager, Talos Group
On Nov 13, 2015, at 1:03 AM, Oleg Ruso \
<soy_siberiano@yahoo.com<mailto:soy_siberiano@yahoo.com>> wrote:
Hi List.
-------------------------
snort-2.9.7.6
Name : snort
Version : 2.9.7.6
Architecture : freebsd:9:x86:64
...
Options :
APPID : off
BARNYARD : on
DBGSNORT : off
DOCS : on
FILEINSPECT : on
GRE : on
HA : off
IPV6 : off
LRGPCAP : off
NONETHER : off
NORMALIZER : on
PERFPROFILE : on
PULLEDPORK : on
SOURCEFIRE : on
Shared Libs required:
libpcre.so.1
libsfbpf.so.0
libcrypto.so.8
libdnet.so.1
Shared Libs provided:
libsf_dce2_preproc.so.0
libsf_engine.so.0
libsf_sdf_preproc.so.0
libsf_pop_preproc.so.0
libsf_ssl_preproc.so.0
libsf_modbus_preproc.so.0
libsf_file_preproc.so.0
libsf_dns_preproc.so.0
libsf_ssh_preproc.so.0
libsf_reputation_preproc.so.0
libsf_smtp_preproc.so.0
libsf_gtp_preproc.so.0
libsf_imap_preproc.so.0
libsf_ftptelnet_preproc.so.0
libsf_dnp3_preproc.so.0
libsf_sip_preproc.so.0
----------------------------------------------------
After the updating, got a problem with preprocessors.
1. Start:
snort -T -c /usr/local/etc/snort/snort.conf
Got an error
-----------------
ERROR size 1152 != 1128
ERROR: Failed to initialize dynamic preprocessor: APPID version 1.1.4 (-2)
---------------
it was a conflict with old preprocessors libraries version.
I deleted all files from the
dynamicpreprocessor directory /usr/local/lib/snort/dynamic_preproc
and then, reinstalled Snort.(from port)
And now, got only one file in the dynamicpreprocessor directory.
-rw-r--r-- 1 root wheel 110k 11 ноя 16:43 libsf_dynamic_preproc.a
2.The consequence are - can`t to start preprocessors
dns, ssh, dcerpc2, dcerpc2_server
En error example
ERROR: /usr/local/etc/snort/snort.conf(150) Unknown preprocessor: "dns".
I checked the config file carefully, has not some errors.
Where to find missing libraries for snort-2.9.7.6 ? Or what another reason can be?
Thanks.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net<mailto:Snort-users@lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""> This generally means that you have an older version of \
Snort preprocessor installed with a newer version of Snort. <div class=""><br \
class=""> </div>
<div class="">You need to uninstall the old version of Snort and it's preprocessors \
before you attempt to run the new one.<br class=""> <div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""> <div \
style="margin: 0px; line-height: normal; font-family: 'Lucida \
Grande';" class="">
--</div>
<div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" \
class=""> <b class="">Joel Esler</b></div>
<div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" \
class=""> Manager, Talos Group</div>
<div style="margin: 0px; line-height: normal; font-family: 'Helvetica Neue';" \
class=""> <br class="">
</div>
</div>
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 13, 2015, at 1:03 AM, Oleg Ruso <<a \
href="mailto:soy_siberiano@yahoo.com" class="">soy_siberiano@yahoo.com</a>> \
wrote:</div> <br class="Apple-interchange-newline">
<div class="">
<div class="">
<div style="background-color: rgb(255, 255, 255); font-family: HelveticaNeue, \
'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', 'без засечек'; \
font-size: 16px;" class=""> <div id="yui_3_16_0_1_1447396179232_6242" class="">Hi \
List.</div> <div id="yui_3_16_0_1_1447396179232_6241" \
class="">-------------------------<br class=""> </div>
<div dir="ltr" id="yui_3_16_0_1_1447396179232_6299" class="">snort-2.9.7.6<br \
class="" id="yui_3_16_0_1_1447396179232_6316"> \
Name : snort<br class="" \
id="yui_3_16_0_1_1447396179232_6318"> \
Version : 2.9.7.6<br class="" \
id="yui_3_16_0_1_1447396179232_6320"> Architecture : freebsd:9:x86:64<br \
class="" id="yui_3_16_0_1_1447396179232_6322">
...<br class="" id="yui_3_16_0_1_1447396179232_6324">
Options :<br class="" \
id="yui_3_16_0_1_1447396179232_6326"> \
APPID : off<br class="" \
id="yui_3_16_0_1_1447396179232_6328"> \
BARNYARD : on<br class="" \
id="yui_3_16_0_1_1447396179232_6330"> \
DBGSNORT : off<br class="" \
id="yui_3_16_0_1_1447396179232_6332"> \
DOCS : on<br class="" \
id="yui_3_16_0_1_1447396179232_6334"> \
FILEINSPECT : on<br class="" id="yui_3_16_0_1_1447396179232_6336"> \
\
GRE : on<br \
class="" id="yui_3_16_0_1_1447396179232_6338"> \
\
HA : off<br \
class="" id="yui_3_16_0_1_1447396179232_6340"> \
\
IPV6 : off<br class="" \
id="yui_3_16_0_1_1447396179232_6342"> \
LRGPCAP : off<br class="" \
id="yui_3_16_0_1_1447396179232_6344"> \
NONETHER : off<br class="" \
id="yui_3_16_0_1_1447396179232_6346"> \
NORMALIZER : on<br class="" \
id="yui_3_16_0_1_1447396179232_6348"> \
PERFPROFILE : on<br class="" id="yui_3_16_0_1_1447396179232_6350"> \
PULLEDPORK : on<br \
class="" id="yui_3_16_0_1_1447396179232_6352"> \
SOURCEFIRE : on<br \
class="" id="yui_3_16_0_1_1447396179232_6354"> Shared Libs required:<br class="" \
id="yui_3_16_0_1_1447396179232_6356"> \
libpcre.so.1<br class="" id="yui_3_16_0_1_1447396179232_6358"> \
libsfbpf.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6360"> \
libcrypto.so.8<br class="" id="yui_3_16_0_1_1447396179232_6362"> \
libdnet.so.1<br class="" \
id="yui_3_16_0_1_1447396179232_6364"> Shared Libs provided:<br class="" \
id="yui_3_16_0_1_1447396179232_6366"> \
libsf_dce2_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6368"> \
libsf_engine.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6370"> \
libsf_sdf_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6372"> \
libsf_pop_preproc.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6374"> \
libsf_ssl_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6376"> \
libsf_modbus_preproc.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6378"> \
libsf_file_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6380"> \
libsf_dns_preproc.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6382"> \
libsf_ssh_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6384"> \
libsf_reputation_preproc.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6386"> \
libsf_smtp_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6388"> \
libsf_gtp_preproc.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6390"> \
libsf_imap_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6392"> \
libsf_ftptelnet_preproc.so.0<br class="" \
id="yui_3_16_0_1_1447396179232_6394"> \
libsf_dnp3_preproc.so.0<br class="" id="yui_3_16_0_1_1447396179232_6396"> \
libsf_sip_preproc.so.0</div> <div \
id="yui_3_16_0_1_1447396179232_6420" dir="ltr" \
class="">---------------------------------------------------- <br class="">
</div>
<div id="yui_3_16_0_1_1447396179232_6442" dir="ltr" class=""><br class="">
</div>
<div id="yui_3_16_0_1_1447396179232_6441" dir="ltr" class="">After the updating, got \
a problem with preprocessors.<br class="" id="yui_3_16_0_1_1447396179232_6454"> \
<br class="" id="yui_3_16_0_1_1447396179232_6456"> 1. Start:<br class="" \
id="yui_3_16_0_1_1447396179232_6458"> snort -T -c /usr/local/etc/snort/snort.conf<br \
class="" id="yui_3_16_0_1_1447396179232_6460"> Got an error<br class="" \
id="yui_3_16_0_1_1447396179232_6462">
-----------------<br class="" id="yui_3_16_0_1_1447396179232_6464">
ERROR size 1152 != 1128<br class="" id="yui_3_16_0_1_1447396179232_6466">
ERROR: Failed to initialize dynamic preprocessor: APPID version 1.1.4 (-2)<br \
class="" id="yui_3_16_0_1_1447396179232_6468">
---------------<br class="" id="yui_3_16_0_1_1447396179232_6470">
it was a conflict with old preprocessors libraries version. <br class="" \
id="yui_3_16_0_1_1447396179232_6472"> I deleted all files from the <br class="" \
id="yui_3_16_0_1_1447396179232_6474"> <br class="" \
id="yui_3_16_0_1_1447396179232_6476"> dynamicpreprocessor directory \
/usr/local/lib/snort/dynamic_preproc<br class="" \
id="yui_3_16_0_1_1447396179232_6478"> and then, reinstalled Snort.(from port)<br \
class="" id="yui_3_16_0_1_1447396179232_6480"> <br class="" \
id="yui_3_16_0_1_1447396179232_6482"> And now, got only one file in the \
dynamicpreprocessor directory.</div> <div id="yui_3_16_0_1_1447396179232_6502" \
dir="ltr" class=""><br class=""> </div>
<div id="yui_3_16_0_1_1447396179232_6501" dir="ltr" class="">-rw-r--r-- 1 \
root wheel 110k 11 ноя 16:43 libsf_dynamic_preproc.a</div> <div \
id="yui_3_16_0_1_1447396179232_6525" dir="ltr" class=""><br class=""> </div>
<div id="yui_3_16_0_1_1447396179232_6527" dir="ltr" class="">2.The consequence are - \
can`t to start preprocessors <br class="" id="yui_3_16_0_1_1447396179232_6615">
dns, ssh, dcerpc2, dcerpc2_server<br class="" id="yui_3_16_0_1_1447396179232_6617">
<br class="" id="yui_3_16_0_1_1447396179232_6619">
En error example <br class="" id="yui_3_16_0_1_1447396179232_6621">
ERROR: /usr/local/etc/snort/snort.conf(150) Unknown preprocessor: \
"dns".</div> <div id="yui_3_16_0_1_1447396179232_6742" dir="ltr" \
class=""><br class=""> </div>
<div id="yui_3_16_0_1_1447396179232_6759" dir="ltr" class="">I checked the \
config file carefully, has not some errors. <br class="">
</div>
<div id="yui_3_16_0_1_1447396179232_6758" dir="ltr" class=""><br class="" \
id="yui_3_16_0_1_1447396179232_6625"> Where to find missing libraries for \
snort-2.9.7.6 ? Or what another reason can be? <br class="">
</div>
<div id="yui_3_16_0_1_1447396179232_6788" dir="ltr" class="">Thanks.<br class="">
</div>
<div id="yui_3_16_0_1_1447396179232_6804" dir="ltr" class=""><br class="">
</div>
<div id="yui_3_16_0_1_1447396179232_6500" dir="ltr" class=""><br class="">
</div>
</div>
</div>
------------------------------------------------------------------------------<br \
class=""> _______________________________________________<br class="">
Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.sourceforge.net" \
class="">Snort-users@lists.sourceforge.net</a><br class=""> Go to this URL to change \
user options or unsubscribe:<br class=""> \
https://lists.sourceforge.net/lists/listinfo/snort-users<br class=""> Snort-users \
list archive:<br class=""> \
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class=""> <br \
class=""> Please visit http://blog.snort.org to stay current on all the latest Snort \
news!</div> </blockquote>
</div>
<br class="">
</div>
</body>
</html>
[Attachment #4 (--===============7449539530086661790==)]
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic