Package: snort
Version: 2.8.5.2-3
Severity: grave
Justification: renders package unusable
After updating and with default configuration files the following
happens:
---8<---
Configuring snort-common
------------------------
Configuration error
The current Snort configuration is invalid and will prevent Snort starting up
normally. Please review and correct it.
To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -c
<file>'.
Setting up snort (2.8.5.2-3) ...
Stopping Network Intrusion Detection System : snortNo running snort instance
found ... (warning).
Starting Network Intrusion Detection System : snort (eth0 using
/etc/snort/snort.conf ...ERROR: failed (check /var/log/daemon.log,
/var/log/syslog and /var/log/snort/)) failed!
invoke-rc.d: initscript snort, action "start" failed.
dpkg: error processing snort (--configure):
subprocess installed post-installation script returned error exit status 1
Setting up libva1 (1.0.4-1.3) ...
configured to not write apport reports
Errors were encountered while processing:
snort
E: Sub-process /usr/bin/dpkg returned an error code (1)
--->8---
Trying the command to check the config gives:
---8<---
# /usr/sbin/snort -T -c /etc/snort/snort.conf
Running in Test mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
PortVar 'FTP_PORTS' defined : [ 21 ]
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...
done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor/
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment Problems: 1
Overlap Limit: 10
Min fragment Length: 0
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
Track ICMP sessions: INACTIVE
Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
Reassembly Policy: FIRST
Timeout: 30 seconds
Min ttl: 1
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Reassembly Ports:
21 client (Footprint)
23 client (Footprint)
25 client (Footprint)
42 client (Footprint)
53 client (Footprint)
80 client (Footprint)
110 client (Footprint)
111 client (Footprint)
135 client (Footprint)
136 client (Footprint)
137 client (Footprint)
139 client (Footprint)
143 client (Footprint)
445 client (Footprint)
513 client (Footprint)
514 client (Footprint)
1433 client (Footprint)
1521 client (Footprint)
2401 client (Footprint)
3306 client (Footprint)
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Server Flow Depth: 300
Client Flow Depth: 300
Max Chunk Length: 500000
Max Header Field Length: 0
Max Number Header Fields: 0
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Normalize HTTP Headers: NO
Normalize HTTP Cookies: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
Detect Anomalies: NO
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: OFF
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Ignore Telnet Cmd Operations: OFF
Max Response Length: 256
SMTP Config:
Ports: 25 587 691
Inspection Type: Stateful
Normalize: EXPN RCPT VRFY
Ignore Data: No
Ignore TLS Data: No
Ignore SMTP Alerts: No
Max Command Line Length: Unlimited
Max Specific Command Line Length:
ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
RCPT:300 VRFY:255
Max Header Line Length: Unlimited
Max Response Line Length: Unlimited
X-Link2State Alert: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
SSH config:
Autodetection: DISABLED
Challenge-Response Overflow Alert: ENABLED
SSH1 CRC32 Alert: ENABLED
Server Version String Overflow Alert: ENABLED
Protocol Mismatch Alert: ENABLED
Bad Message Direction Alert: DISABLED
Bad Payload Size Alert: DISABLED
Unrecognized Version Alert: DISABLED
Max Encrypted Packets: 20
Max Server Version String Length: 80 (Default)
MaxClientBytes: 19600 (Default)
Ports:
22
DCE/RPC 2 Preprocessor Configuration
Global Configuration
DCE/RPC Defragmentation: Enabled
Memcap: 102400 KB
Events: none
Server Default Configuration
Policy: WinXP
Detect ports
SMB: 139 445
TCP: 135
UDP: 135
RPC over HTTP server: 593
RPC over HTTP proxy: None
Autodetect ports
SMB: None
TCP: 1025-65535
UDP: 1025-65535
RPC over HTTP server: 1025-65535
RPC over HTTP proxy: None
Maximum SMB command chaining: 3 commands
DNS config:
DNS Client rdata txt Overflow Alert: ACTIVE
Obsolete DNS RR Types Alert: INACTIVE
Experimental DNS RR Types Alert: INACTIVE
Ports: 53
SSLPP config:
Encrypted packets: not inspected
Ports:
443 465 563 636 989
992 993 994 995
Server side data is trusted
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Warning: /etc/snort/rules/dos.rules(42) => threshold (in rule) is deprecated;
use detection_filter instead.
ERROR: /etc/snort/rules/community-smtp.rules(13) => !any is not allowed
Fatal Error, Quitting..
--->8---
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages snort depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.37 Debian configuration management sy
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libpcap0.8 1.1.1-2 system interface for user-level pa
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libprelude2 1.0.0-1 Security Information Management Sy
ii logrotate 3.7.8-6 Log rotation utility
ii snort-common 2.8.5.2-3 flexible Network Intrusion Detecti
ii snort-common-libraries 2.8.5.2-3 flexible Network Intrusion Detecti
ii snort-rules-default 2.8.5.2-3 flexible Network Intrusion Detecti
ii sysklogd [system-log-daemon] 1.5-6 System Logging Daemon
Versions of packages snort recommends:
ii iproute 20100519-3 networking and traffic control too
Versions of packages snort suggests:
pn snort-doc <none> (no description available)
-- debconf information:
snort/startup: boot
snort/please_restart_manually:
snort/stats_treshold: 1
* snort/address_range: 192.168.0.0/16
snort/options:
snort/invalid_interface:
* snort/interface: eth0
* snort/stats_rcpt: root
snort/send_stats: true
snort/config_parameters:
* snort/config_error:
snort/reverse_order: false
snort/disable_promiscuous: false
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
