[Snort-devel] DNS Dynamic Preprocessor Question

Steven Sturges steve.sturges at ...402...
Thu Feb 1 10:22:22 EST 2007


Hi Brent--

Looked through the code.  That message is just a warning and
appears benign in terms of affecting anything.  It occurs
during the post-config parsing stage, hence the misleading
line numbers (the DNS line is probably the last line in your
config file).

I'll see if we can clean it up, but its safe to ignore that
message on the Win32 platforms when you use -E.

It isn't related at all to DNS -- if you had a threshold
on the last line of the config, it would've pointed to that
line instead.

Cheers.
-steve

Erickson Brent W KPWA wrote:
> Hi Steve,
> 
> Thank you for the quick response.
> 
> I believe you are right.
> 
> Here is the bat file command line we run:
> 
> snort -o -i 3 -E -d -l log -F f13 -K ascii -h xxx.yyy.0.0/16 -c snort.conf
> 
> We send alerts to the Windows Event viewer and also log to the log folder.
> 
> We don't use data bases.
> 
> Brent
> 
> 
> -----Original Message-----
> From: Steven Sturges [mailto:steve.sturges at ...402...] 
> Sent: Thursday, February 01, 2007 6:58 AM
> To: Erickson Brent W KPWA
> Cc: 'snort-devel at lists.sourceforge.net'
> Subject: Re: [Snort-devel] DNS Dynamic Preprocessor Question
> 
> 
> Hi Brent--
> 
> Can you forward the command-line arguments you are passing to Snort? This
> looks like something that is specific to Win32 platforms.
> 
> Cheers.
> -steve
> 
> Erickson Brent W KPWA wrote:
>> Hello all,
>>
>> I just started utilizing the DNS and SMTP dynamic preprocessors and 
>> have a brief question about an error I receive from Snort during 
>> startup. Snort runs after the error message occurs.
>>
>> We are running version 2.6.1.2 and we have upgraded 7 Snort systems so 
>> far, and we greatly appreciate your efforts.
>>
>> They are all running like rock solid.
>>
>> We are running Snort on a stripped down install of Windows XP Pro.
>>
>> Here is the snort.conf configuration line:
>>
>> preprocessor dns: ports { 53 } enable_rdata_overflow
>>
>> When we start Snort, we see the error:
>>
>> (876) => No arguments to alert_syslog preprocessor!
>>
>> Line 876 is this line -- preprocessor dns: ports { 53 } 
>> enable_rdata_overflow
>>
>> I've searched through the Snort 2.6.1 manual, looked in the forums, 
>> and also read the DNS readme file.
>>
>> I can't figure out what I'm over looking.
>>
>> I am also running the SMTP dynamic preprocessor.
>>
>> If I comment out the DNS config, then I receive the same error at line 
>> 695, which is the last line of the SMTP config.
>>
>> We have never configured the alert_syslog preprocessor before and 
>> never needed to.
>>
>> Appreciate your advice.
>>
>> Brent Erickson
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> ---
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job
> easier.
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
> 
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list