Hi,

I just noticed one of my sensors wasn't updating properly.  The rules are fine but I had to add variables for the database server since one moved an needs to be called by an internal IP now.  I thought everything was okay until I realized snort was kicking off with a hard-coded config from the wrong directory on a sensor.  The config works but is out of date and isn't the config that has been uploading with the updates.  The issue is that the config uploaded from the IDS PM does not work on one sensor.

Long story short is that I believe one sensor (snort) was compliled slightly different when the OS was changed.  --So it keeps uploading a config that works on other sensors but not the one.

I'm guessing there is not a way to fix this short of re-compiling, killing the options causing the issue across all, or applying another policy (which I don't want to do)?  I think I'm basically having pre-processor issues.  Although when I commented those out it failed on an emerging virus rule where it looked like HOME_NEt had a lower case t.  That I can't figure out since both sensors get the same rules and the other doesn't spit up.

Anyway...just fishing for ideas...am I going to have to re-compile with maximum options to ensure the failing config has what it needs on the box?  Sounds like all sensors need to match the capabilities of the original import?  --unless, just had a thought, I can play with variables somehow to dumb down the config on the one system only.

Thanks.

This is the error after I 'correct' the startup to start from the snort.conf being uploaded that works on the other sensors.  The directory and header  files and a few c files exist there.  I haven't had time to compare to a working sensor yet but assume this one was compiled with some different options:

...Loading all dynamic preprocessor libs from /usr/local/snort-2.8/lib/snort_dynamicpreprocessor/...
Warning: No dynamic libraries found in directory /usr/local/snort-2.8/lib/snort_dynamicpreprocessor/!
  Finished Loading all dynamic preprocessor libs from /usr/local/snort-2.8/lib/snort_dynamicpreprocessor/
/etc/snort/snort.conf(88) unknown dynamic preprocessor "smtp"
/etc/snort/snort.conf(93) unknown dynamic preprocessor "dcerpc"
/etc/snort/snort.conf(94) unknown dynamic preprocessor "dns"
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..

Directory:

bitop.h          profiler.h                sf_dynamic_preproc_lib.h   sfghash.h                        str_search.h
debug.h          sf_dynamic_common.h       sf_dynamic_preprocessor.h  sfhashfcn.h                      stream_api.h
pcap_pkthdr32.h  sf_dynamic_meta.h         sf_snort_packet.h          sfsnort_dynamic_detection_lib.c
preprocids.h     sf_dynamic_preproc_lib.c  sf_snort_plugin_api.h      sfsnort_dynamic_detection_lib.h

Well, that sucks.  The sensor that doesn't work with the config is working (basing it on an old snort.conf)...I guess I'll re-compile and try to find the commands in history when I compiled the other......except if I do that I wonder if it will work now since the sensor that WAS working was just broken by the latest Snort rules update from the IDS PM.  Argh.  After the upload it just segfaults even after a system restart...

DNS config:
    DNS Client rdata txt Overflow

On the original question --no.  That was the manual file I must have remarked those out.  At every upload the conf compatible with the other sensor is uploaded again so I'm not using the one managed by the PM and not getting updates per se.  Just rule updates.  It looks like I need to either dumb down the other sensor by disabling things until both work or re-compile the bad sensor with IPV6 turned off and other options matching.

--the new problem is a segfault after the latest rules were applied.  funny thing is that those rules work fine on the box running the IPv6 and old conf file.  --so I'm afraid I'm going to break both fixing this.  I deleted all the rules and did a full upload again from the PM but it still segfaults.  If I delete all rules it doesn't (but doesn't run) so I guesss I need to remark them out one at a time in the conf file until I figure out which new ruleset is segfaulting it....