toor_
n00b
Joined: 26 Feb 2008
Posts: 7
|
 Posted: Sat Apr 05, 2008 9:12 pm Post subject: Snort: "ERROR: Misconfigured dynamic preprocessor(s)&qu |
 |
|
Greetings,
I am installing Snort and running through the configuration, I have seen a lot of people with a similar problem. After editing the snort.conf file, I exit, save, and run a quick test (snort -c /etc/snort/snort.conf). The test runs great until it hits a check for the dynamic preprocessors:
| Code: |
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'EXTERNAL_NET' defined, value len = 17 chars, value = !192.168.0.100/24
Var 'DNS_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'SMTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'HTTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'SQL_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'TELNET_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'EXTERNAL_NET' defined, value len = 17 chars, value = !192.168.0.100/24
Var 'DNS_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'SMTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'HTTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'SQL_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'TELNET_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'SNMP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
2833 Snort rules read...
2833 Option Chains linked into 212 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Tagged Packet Limit: 256
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor...
Warning: Directory /usr/local/lib/snort_dynamicpreprocessor does not exist!
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor
/etc/snort/snort.conf(573) unknown dynamic preprocessor "ftp_telnet"
/etc/snort/snort.conf(577) unknown dynamic preprocessor "ftp_telnet_protocol"
/etc/snort/snort.conf(591) unknown dynamic preprocessor "ftp_telnet_protocol"
/etc/snort/snort.conf(596) unknown dynamic preprocessor "ftp_telnet_protocol"
/etc/snort/snort.conf(622) unknown dynamic preprocessor "smtp"
/etc/snort/snort.conf(777) unknown dynamic preprocessor "dcerpc"
/etc/snort/snort.conf(795) unknown dynamic preprocessor "dns"
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..
|
I assume the solution is to ensure you:
A) merge Snort with all the needed USE flags required for your system:
| Code: | | USE="postgres mysql flexresp selinux snortsam odbc prelude inline dynamicplugin timestats perfprofiling linux-smp-stats flexresp2 react sguil gre" emerge -pv snort |
B) Ensure your dynamic plugins are there and symbolically linked.:
| Code: | ls -l /usr/lib/snort_dynamicpreprocessor/
libsf_dcerpc_preproc.a
libsf_dcerpc_preproc.la
libsf_dcerpc_preproc.so -> libsf_dcerpc_preproc.so.0.0.0
libsf_dcerpc_preproc.so.0 -> libsf_dcerpc_preproc.so.0.0.0
libsf_dcerpc_preproc.so.0.0.0
libsf_dns_preproc.a
libsf_dns_preproc.la
libsf_dns_preproc.so -> libsf_dns_preproc.so.0.0.0
libsf_dns_preproc.so.0 -> libsf_dns_preproc.so.0.0.0
libsf_dns_preproc.so.0.0.0
libsf_ftptelnet_preproc.a
libsf_ftptelnet_preproc.la
libsf_ftptelnet_preproc.so -> libsf_ftptelnet_preproc.so.0.0.0
libsf_ftptelnet_preproc.so.0 -> libsf_ftptelnet_preproc.so.0.0.0
libsf_ftptelnet_preproc.so.0.0.0
libsf_smtp_preproc.a
libsf_smtp_preproc.la
libsf_smtp_preproc.so -> libsf_smtp_preproc.so.0.0.0
libsf_smtp_preproc.so.0 -> libsf_smtp_preproc.so.0.0.0
libsf_smtp_preproc.so.0.0.0
libsf_ssh_preproc.a
libsf_ssh_preproc.la
libsf_ssh_preproc.so -> libsf_ssh_preproc.so.0.0.0
libsf_ssh_preproc.so.0 -> libsf_ssh_preproc.so.0.0.0
libsf_ssh_preproc.so.0.0.0 |
I tried the above and still, "ERROR: Misconfigured dynamic preprocessor(s)"... Any help is welcome!
-toor |
|
Networking & Security
