Re: Fw: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1

[Ryan Jordan <ryan.jordan () sourcefire com>]

There's a couple things going on here.

First: Your snort.conf file is going to have a line that reads like this:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

Snort is going to attempt to load EVERY .so file contained in that
directory. No more, no less. The error message doesn't mean that Snort
can't find your SDF preprocessor -- it means that it was found, but
didn't load correctly.

Second: The interface between Snort and its .so preprocessors/rules
changes with most Snort releases. If you mix and match your versions,
Snort will segfault. If you recompile Snort with different configure
options, you also need to rebuild and reinstall the .so files.

ccie:
Right now you're running Snort 2.8.5.3 with a 2.8.6 preprocessor. SDF
was newly introduced in Snort 2.8.6, so simply doing a "make install"
from 2.8.5.3 would not overwrite it. You should uninstall your current
Snort stuff first, *then* reinstall.

I'm not sure why you had problems with 2.8.6 in the first place.
Perhaps you were running a different Snort binary than the one you
installed?

-Ryan

On Fri, Apr 30, 2010 at 10:45 AM, Joel Esler <jesler () sourcefire com> wrote:
> Wait, are you trying to use 2.8.5.3 with the 2.8.6 preprocessors?
> J
>
> On Fri, Apr 30, 2010 at 10:39 AM, ccie 6862 <ccie6862 () yahoo com> wrote:
> > --- On Fri, 4/30/10, ccie 6862 <ccie6862 () yahoo com> wrote:
> >
> > > From: ccie 6862 <ccie6862 () yahoo com>
> > > Subject: [Snort-users] FATAL ERROR: Failed to initialize dynamic
> > > preprocessor: SF_SDF version 1.1.1
> > > To: "Snort-users () lists sourceforge net"
> > > <Snort-users () lists sourceforge net>
> > > Date: Friday, April 30, 2010, 9:05 AM
> > > I just upgraded snort and now can't
> > > start it due to this error. This is running on a CentOS 5
> > > 64-bit system. Google isn't turning up anything, and I'm
> > > tempted to go through my snort.conf file and start
> > > commenting out lines. Has anyone else run into this? The
> > > system was working under the previous version of snort.
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Hmmm, this is getting frustrating. I just downgraded to snort-2.8.5.3, and
> > I'm getting the same error. I had been running 2.5.8.2, but I can't find the
> > source files.
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users