Today I have tried to update my Snort and rules and when testing I got this error message because IPV6 was not enabled on my computer.
The fix is very simple, just delete sf_sdf.dll file from C:\Snort\lib\snort_dynamicpreprocessor directory and start snort again.
Update of snort is very simple and it can be described in few simple steps which can be used for fresh install as well:
- download Snort 2.8.6 from the www.snort.org site
- download WinPcap 4.1.1 from the www.winpcap.org
- install both of them on the target machine
- download the latest community rules from www.snort.org (you need to register and log in to be able to download them)
- extract rules to C:\Snort overwriting existing files and open Snort.conf file in the etc map
- find line nr. 155 and replace it to this dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
- then replace line 158 to this dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
- and then comment out line 161 if you don’t have dynamic rules #dynamicdetection directory /usr/local/lib/snort_dynamicrules
- now when you are done if you are not using IPV6 delete sf_sdf.dll file from C:\Snort\lib\snort_dynamicpreprocessor to avoid this error
- start Snort to test it
- start Snort as service if test is OK