LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-14-2019, 06:31 AM   #1
Corvette
Member
 
Registered: Jul 2017
Location: Missouri, United States
Distribution: Debian 9
Posts: 100

Rep: Reputation: 23
Snort on CentOS 7 - Invalid Keyword '}' for server configuration


I am attempting to set up Snort on my CentOS VM. Although I had some trouble initially, it seems to have finally installed correctly and I can run it in sniffer mode. However, whenever I try and pass it a config file in order to run as an IDS, I received the following:

Code:
HttpInspect Config:
    GLOBAL CONFIG
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/etc/unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 1807
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
ERROR: /etc/snort/etc/snort.conf(327) => Invalid keyword '}' for server configuration.
The config file is the one that came with the ruleset (https://www.snort.org/rules/snortrul...z?oinkcode=***). Line 327 is:

Code:
   decompress_pdf { deflate }
This is part of the larger http_inspect_server preprocesser block.

Code:
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 5 } \
    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1812 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 6080 6173 6988 7000 7001 7005 7071 7144 7145 7510 7770 7777 7778 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
 ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no \
    decompress_swf { deflate lzma } \
    decompress_pdf { deflate }
What might the issue be? Thanks in advance.
 
Old 06-15-2019, 02:58 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,733
Blog Entries: 9

Rep: Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117Reputation: 3117
Quote:
Originally Posted by Corvette View Post
The config file is the one that came with the ruleset (https://www.snort.org/rules/snortrul...z?oinkcode=***). Line 327 is:

Code:
   decompress_pdf { deflate }
that link does not make any sense.
can you share where you got that config file from?
and are you sure it's the one that's supposed to become /etc/snort/etc/snort.conf on your system?

for the error: is it the first curly bracket in the config file?
maybe it requires a semicolon or a newline after the keyword?
have you just tried out a few things, some troubleshooting?
 
Old 06-15-2019, 06:21 AM   #3
Corvette
Member
 
Registered: Jul 2017
Location: Missouri, United States
Distribution: Debian 9
Posts: 100

Original Poster
Rep: Reputation: 23
Thanks for the response.

As noted, the config file is from the rule set downloaded from the link. Per the Snort website, you download rule sets using a URL of the form:
Code:
https://www.snort.org/rules/<file_name>?oinkcode=<oinkcode>
. The link mentioned in the post simply has the <file_name> (nortrules-snapshot-29130.tar.gz) filled in and my "oinkcode" stripped. Yes, "/etc/snort/etc/etc/snort/conf" is the correct file. I know it is an odd place, but that just happened to be where it got extracted to from the tar ball. The config files lets you specify paths to the rules and the like, so its location should not be the issue.

Since, it says that the "invalid keyword' is '}' ", I assume it is the second (closing) curly bracket on the line. The snort config file does not have semicolons.
Not really sure how much troubleshooting I can do. Hoping someone who has experience with Snort might have seen the issue. I tried searching for the error, comparing it to the config that came with the install, and even passing the sample config file that came with the install (still received the same error).

I can post the entire config file, but not sure how useful it will be. Only a few lines were changed (the paths to rules, dynamicpreprocess, and dynmaicengine), but nothing around the section throwing the error.
Attached Files
File Type: txt snort.txt (28.8 KB, 0 views)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to grep a "keyword" beside another keyword? xiawinter Linux - Software 7 12-29-2007 12:50 AM
Basic FC5 Install Problem - Invalid keyword ygumby Linux - Newbie 6 05-04-2006 03:18 PM
Error when starting up snort: bash:!/bin/sh/usr/local/bin/snort :Eent not found cynthia_thomas Linux - Software 1 11-11-2005 02:59 PM
snort failed: snort: symbol lookup error: undefined symbol: usmAES192PrivProtocol Emmanuel_uk Linux - Security 1 07-10-2005 10:29 AM
snort snort.conf help crealkiller175 Linux - Software 1 03-08-2003 05:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration