# Snort: "ERROR: Misconfigured dynamic preprocessor(s)"

## toor_

Greetings,

I am installing Snort and running through the configuration, I have seen a lot of people with a similar problem.  After editing the snort.conf file, I exit, save, and run a quick test (snort -c /etc/snort/snort.conf).  The test runs great until it hits a check for the dynamic preprocessors:

```

Running in IDS mode

        --== Initializing Snort ==--

Initializing Output Plugins!

Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0

Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

Var 'HOME_NET' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'EXTERNAL_NET' defined, value len = 17 chars, value = !192.168.0.100/24

Var 'DNS_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'SMTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'HTTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'SQL_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'TELNET_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Initializing Plug-ins!

Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

Var 'HOME_NET' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'EXTERNAL_NET' defined, value len = 17 chars, value = !192.168.0.100/24

Var 'DNS_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'SMTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'HTTP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'SQL_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'TELNET_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'SNMP_SERVERS' defined, value len = 16 chars, value = 192.168.0.100/24

Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80

Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80

Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521

Var 'AIM_SERVERS' defined, value len = 185 chars

   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9

   .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules

,-----------[Flow Config]----------------------

| Stats Interval:  0

| Hash Method:     2

| Memcap:          10485760

| Rows  :          4099

| Overhead Bytes:  16400(%0.16)

`----------------------------------------------

Frag3 global config:

    Max frags: 65536

    Fragment memory cap: 4194304 bytes

Frag3 engine config:

    Target-based policy: FIRST

    Fragment timeout: 60 seconds

    Fragment min_ttl:   1

    Fragment ttl_limit: 5

    Fragment Problems: 1

    Bound Addresses: 0.0.0.0/0.0.0.0

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    Session count max: 8192 sessions

    Session cleanup count: 5

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: INACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

    Enforce TCP State: INACTIVE

    Midstream Drop Alerts: INACTIVE

    Allow Blocking of TCP Sessions in Inline: ACTIVE

    Server Data Inspection Limit: -1

WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)

Stream4_reassemble config:

    Server reassembly: INACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Zero out flushed packets: INACTIVE

    Flush stream on alert: INACTIVE

    flush_data_diff_size: 500

    Reassembler Packet Preferance : Favor Old

    Packet Sequence Overlap Limit: -1

    Flush behavior: Small (<255 bytes)

    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306

    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306

HttpInspect Config:

    GLOBAL CONFIG

      Max Pipeline Requests:    0

      Inspection Type:          STATELESS

      Detect Proxy Usage:       NO

      IIS Unicode Map Filename: /etc/snort/unicode.map

      IIS Unicode Map Codepage: 1252

    DEFAULT SERVER CONFIG:

      Server profile: All

      Ports: 80 8080 8180

      Flow Depth: 300

      Max Chunk Length: 500000

      Inspect Pipeline Requests: YES

      URI Discovery Strict Mode: NO

      Allow Proxy Usage: NO

      Disable Alerting: NO

      Oversize Dir Length: 500

      Only inspect URI: NO

      Ascii: YES alert: NO

      Double Decoding: YES alert: YES

      %U Encoding: YES alert: YES

      Bare Byte: YES alert: YES

      Base36: OFF

      UTF 8: OFF

      IIS Unicode: YES alert: YES

      Multiple Slash: YES alert: NO

      IIS Backslash: YES alert: NO

      Directory Traversal: YES alert: NO

      Web Root Traversal: YES alert: YES

      Apache WhiteSpace: YES alert: NO

      IIS Delimiter: YES alert: NO

      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG

      Non-RFC Compliant Characters: NONE

      Whitespace Characters: 0x09 0x0b 0x0c 0x0d

rpc_decode arguments:

    Ports to decode RPC on: 111 32771

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

Portscan Detection Config:

    Detect Protocols:  TCP UDP ICMP IP

    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan

    Sensitivity Level: Low

    Memcap (in bytes): 10000000

    Number of Nodes:   36900

2833 Snort rules read...

2833 Option Chains linked into 212 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]----------------------------------

| none

+-----------------------[thresholding-local]-----------------------------------

| gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60

| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60

| gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60

| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60

| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60

| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2

| gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60

| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2

| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10

| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2

| gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60

| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2

+-----------------------[suppression]------------------------------------------

| none

-------------------------------------------------------------------------------

Rule application order: ->activation->dynamic->pass->drop->alert->log

Log directory = /var/log/snort

Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor...

Warning: Directory /usr/local/lib/snort_dynamicpreprocessor does not exist!

  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor

/etc/snort/snort.conf(573) unknown dynamic preprocessor "ftp_telnet"

/etc/snort/snort.conf(577) unknown dynamic preprocessor "ftp_telnet_protocol"

/etc/snort/snort.conf(591) unknown dynamic preprocessor "ftp_telnet_protocol"

/etc/snort/snort.conf(596) unknown dynamic preprocessor "ftp_telnet_protocol"

/etc/snort/snort.conf(622) unknown dynamic preprocessor "smtp"

/etc/snort/snort.conf(777) unknown dynamic preprocessor "dcerpc"

/etc/snort/snort.conf(795) unknown dynamic preprocessor "dns"

ERROR: Misconfigured dynamic preprocessor(s)

Fatal Error, Quitting..

```

I assume the solution is to ensure you:

A) merge Snort with all the needed USE flags required for your system:

```
 USE="postgres mysql flexresp selinux snortsam odbc prelude inline dynamicplugin timestats perfprofiling linux-smp-stats flexresp2 react sguil gre" emerge -pv snort
```

B) Ensure your dynamic plugins are there and symbolically linked.:

```
ls -l /usr/lib/snort_dynamicpreprocessor/

libsf_dcerpc_preproc.a

libsf_dcerpc_preproc.la

libsf_dcerpc_preproc.so -> libsf_dcerpc_preproc.so.0.0.0

libsf_dcerpc_preproc.so.0 -> libsf_dcerpc_preproc.so.0.0.0

libsf_dcerpc_preproc.so.0.0.0

libsf_dns_preproc.a

libsf_dns_preproc.la

libsf_dns_preproc.so -> libsf_dns_preproc.so.0.0.0

libsf_dns_preproc.so.0 -> libsf_dns_preproc.so.0.0.0

libsf_dns_preproc.so.0.0.0

libsf_ftptelnet_preproc.a

libsf_ftptelnet_preproc.la

libsf_ftptelnet_preproc.so -> libsf_ftptelnet_preproc.so.0.0.0

libsf_ftptelnet_preproc.so.0 -> libsf_ftptelnet_preproc.so.0.0.0

libsf_ftptelnet_preproc.so.0.0.0

libsf_smtp_preproc.a

libsf_smtp_preproc.la

libsf_smtp_preproc.so -> libsf_smtp_preproc.so.0.0.0

libsf_smtp_preproc.so.0 -> libsf_smtp_preproc.so.0.0.0

libsf_smtp_preproc.so.0.0.0

libsf_ssh_preproc.a

libsf_ssh_preproc.la

libsf_ssh_preproc.so -> libsf_ssh_preproc.so.0.0.0

libsf_ssh_preproc.so.0 -> libsf_ssh_preproc.so.0.0.0

libsf_ssh_preproc.so.0.0.0
```

I tried the above and still, "ERROR: Misconfigured dynamic preprocessor(s)"...  Any help is welcome!

-toor

----------

