Snort mailing list archives

ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4 pairs Fatal Error, Quitting..

From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Mon, 16 Aug 2004 14:13:04 -0500

Anyone see this error before? Is it a typo in the threshold.conf file?
This is snort v2.1.3



# snort -i eth1 -c /usr/local/appliedwatch/agent/snort/conf/snort.conf -l
/usr/local/appliedwatch/agent/var/snort/log

Running in IDS mode
Log directory = /usr/local/appliedwatch/agent/var/snort/log
 
Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/appliedwatch/agent/snort/conf/snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename:
/usr/local/appliedwatch/agent/snort/conf/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory: YES alert: NO
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: YES alert: YES
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4
pairs Fatal Error, Quitting..




Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
Direct: (877) 262-7593 x327


---------------------------------------------------------------

Toll Free: (877) 262-7593 (9am-5pm PST) Monday-Friday
Direct:    (877) 262-7593 x327

Address:   1134 N. Main St.
           Algonquin, IL 60102

---------------------------------------------------------------





-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort on a Gigabit Bandwidth TRIBUT Mickael OF/DTRS (Aug 16)
- Re: Snort on a Gigabit Bandwidth Erik Fichtner (Aug 16)
  - ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4 pairs Fatal Error, Quitting.. Eric Hines (Aug 16)
- <Possible follow-ups>
- RE: Snort on a Gigabit Bandwidth Kreimendahl, Chad J (Aug 16)
- RE: Snort on a Gigabit Bandwidth TRIBUT Mickael OF/DTRS (Aug 16)
- RE: Snort on a Gigabit Bandwidth TRIBUT Mickael OF/DTRS (Aug 17)
- Re: Snort on a Gigabit Bandwidth Jim Richards (Aug 17)
- RE: Snort on a Gigabit Bandwidth Kreimendahl, Chad J (Aug 17)