Hi, I installed snort with mysql support as described in the Gentoo Forums. When I try to actually start Snort I get the following error message: root@myserver werner # snort -v -u snort -dev -i any -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf Running in IDS mode Log directory = /var/log/snort Initializing Network Interface any --== Initializing Snort ==-- Initializing Output Plugins! Decoding 'ANY' on interface any Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost Node unique name is: myserver:any database: sensor name = myserver:any database: sensor id = 1 database: schema version = 106 database: using the "log" facility No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: ACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ... ERROR: unknown preprocessor "8_decode" Fatal Error, Quitting.. When I start Snort (/etc/init.d/snort) it says it actually started successfully but "ps aux" does not show up any process related to snort. Is this a known issue? I could not find anything in the forums nor bugzilla. Reproducible: Always Steps to Reproduce: 1. Install snort with mysql support 2. Run snort: snort -v -u snort -dev -i any -h 192.168.0.0/24 -l /var/log/snort -c /etc/snort/snort.conf 3. See error message Actual Results: Snort does not run at all Expected Results: Well Snort should run and log everything to MySQL
reassigning to netmon herd, since this does not appear to be a security vulnerability or alike
snort 2.3.0_rc2 was added yesterday. Please let me know if this fixes your problem.
the fatal error - quiting would normally mean the process has quit and therefore won't show up with ps aux. The unknown preprocessor "8_decode" probably means that somewhere in your snort.conf is some mention of it and it really doesn't exist. Please recheck the manual. If you still have troubles reopen this bug. If you don't feel confortable posting your snort.conf file here email it to me privately and reopen this bugs as a reminder to me.