Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 69977 - Snort not logging anything when MySQL is enabled, error message "ERROR: unknown preprocessor "8_decode"
Summary: Snort not logging anything when MySQL is enabled, error message "ERROR: unkn...
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High major (vote)
Assignee: Gentoo Netmon project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-03 14:31 UTC by Werner Schalk
Modified: 2005-01-25 00:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Werner Schalk 2004-11-03 14:31:16 UTC
Hi,

I installed snort with mysql support as described in the Gentoo Forums. When I try to actually start Snort I get the following error message:

root@myserver werner # snort -v -u snort -dev -i any -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface any

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding 'ANY' on interface any
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
Node unique name is: myserver:any

database:   sensor name = myserver:any
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: ACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
ERROR:  unknown preprocessor "8_decode"
Fatal Error, Quitting..

When I start Snort (/etc/init.d/snort) it says it actually started successfully but "ps aux" does not show up any process related to snort. Is this a known issue? I could not find anything in the forums nor bugzilla.

Reproducible: Always
Steps to Reproduce:
1. Install snort with mysql support
2. Run snort: snort -v -u snort -dev -i any -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf
3. See error message

Actual Results:  
Snort does not run at all

Expected Results:  
Well Snort should run and log everything to MySQL
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-03 14:44:14 UTC
reassigning to netmon herd, since this does not appear to be a security vulnerability or alike
Comment 2 Daniel Black (RETIRED) gentoo-dev 2005-01-12 00:50:07 UTC
snort 2.3.0_rc2 was added yesterday. Please let me know if this fixes your problem.
Comment 3 Daniel Black (RETIRED) gentoo-dev 2005-01-25 00:00:24 UTC
the fatal error - quiting would normally mean the process has quit and therefore won't show up with ps aux.

The unknown preprocessor "8_decode" probably means that somewhere in your snort.conf is some mention of it and it really doesn't exist. Please recheck the manual.

If you still have troubles reopen this bug. If you don't feel confortable posting your snort.conf file here email it to me privately and reopen this bugs as a reminder to me.