Re: snort -c /etc/snort/snort.conf fatal error

["Patrick S. Harper" <lists () internetsecurityguru com>]

If he followed the latest documentation it is.  But what most likely
happened is that he used the doc off the snort site which is for 2.0.2
and installed 2.1.2 instead and did not look at the updated
documentation.  I have a link to it in that document and the updates are
kept on my site.

Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com
www.ntsug.org

On Sat, 2004-04-17 at 07:30, VanZee, Timothy wrote:
> Can anyone help me out?  I am not getting any alerts even after running CIS Scanner against the box.
> I installed according to Install Guide by Patrick S. Harper on snort.org/docs.
>  
> Here is the output from snort -c /etc/snort/snort.conf
>  
>
> ######################################################
>  
> # snort -c /etc/snort/snort.conf
> Running in IDS mode
> Log directory = /var/log/snort
> Initializing Network Interface eth0
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ,-----------[Flow Config]----------------------
> | Stats Interval:  0
> | Hash Method:     2
> | Memcap:          10485760
> | Rows  :          4099
> | Overhead Bytes:  16400(%0.16)
> `----------------------------------------------
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>     Self preservation threshold: 500
>     Self preservation period: 90
>     Suspend threshold: 1000
>     Suspend period: 30
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: INACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
> Stream4_reassemble config:
>     Server reassembly: INACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     flush_data_diff_size: 500
>     Ports: 21 23 25 53 80 110 111 143 513 1433
>     Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
> ERROR: /etc/snort/snort.conf(285) => Invalid file name for IIS Unicode Map file.
> Fatal Error, Quitting..
>
>  
>
>
> ######################################################
>  
>
> Here are lines 284 and 285 from my snort.conf
>  
> ###############
>  
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> ###############
>  
>
>
> Thanks for your help as I'm new to snort.
>  
>
> ӆ+^隊X'u 
> {Nh&ZxnjZkzǧ[6Qϭ"ujwBӢ^r薈"zyzbg֦z{Zh+-zf)ڶ*'mig&'׎e?ǫf)+-Jz+z+-(~{޴j-bDK!jxǫb{(칻&mXy+zlX)ߣ'ǫ)+-j!iz+k
>        ^(v*醝+-
-- 







-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users