Assuming if you've here, by now you already might have encountered an error while loading snort to run as a daemon or testing your snort.conf configuration file for any syntactical errors (if any). To verify whether your instance of snort runs fine, we verify this by executing these commands:

$snort -V # Check your installed version of snort$sudo snort -c /etc/snort/snort.conf -T  #Validates your snort instance for errors


This would tell you if all your configs are fine and passing. If not, this throws an exeception saying about the relevant error message in a more verbose fashion. Of late I had to upgrade my snort from some older release to 2.9.8.3 (installed through snort source files). Once the installation was over, while I verified if everything is perfect before I perform any tests or so, as usual I ran the command to check my configurations for any errors:

\$sudo snort -c /etc/snort/snort.conf -T


Unfortunately I came across with an error message saying:

ERROR size 1240 != 1120
ERROR: Failed to initialize dynamic preprocessor: SF_FTPTELNET version 1.2.13 (-2)


As far as the debugging/solving this issue is concerned, my first step was to verify if there are any significant changes in the path configurations between the older agaist the 2.9.8.3 snort instance. And I couldn't come up with any significant config changes which could have solved the problem right away. Digging more further I could see that there was a minor glitch which was failing the whole configuration check process to fail. It was the dynamicpreprocessor directory path configuration which was the root cause. In my snort instance of older snort, the path was being set to: /usr/lib/snort_dynamicpreprocessor/

To fix this error I simply had to do the following replacement inside the snort.conf file and it all started working flawless. :)

Erroneous entry:

dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/


Fixed path:

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/


Run the same config check command and you should come with the following message which states that now you have a running snort instance!

Snort successfully validated the configuration!
Snort exiting


Hope this helps someone in some ways.

Cheers!

Comments powered by Disqus