[Snort-users] ssp_conversion BAD IP protocol, why?

Mike Koponick mkoponick at ...7385...
Tue May 6 06:26:13 EDT 2003


Neil,

Thanks for the reply and the help.

Have a nice day.

Mike


-----Original Message-----
From: Neil Dickey [mailto:neil at ...1633...] 
Sent: Monday, May 05, 2003 6:14 AM
To: Mike Koponick
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ssp_conversion BAD IP protocol, why?


"Mike Koponick" <mkoponick at ...7385...> wrote asking:

>I seem to be having a reoccurring issue with Snort. I receive millions
>of these messages in my snort log. I tried commenting out the SID (118)
>in the gen-msg file, but no go. 

That's correct.  The "gen-msg" file just provides the messages snort
prints in between the [**] flags in the alerts file.  It has no effect
whatever on what snort actually detects.

>Does anyone know how I can get rid of these things? They seem to report
>on packets that are typical on the network.
>
>05/05-06:40:45.325111  [**] [118:1:1] (spp_conversation) Bad IP
>protocol! [**] {UDP} xxx.xxx.xxx.xxx:514 -> xxx.xxx.xxx.xxx:514

"spp" stands for "Snort Pre-Processor".  When you see it in an alert
message, that means the alert was generated by one of the preprocessors
you have enabled in the snort.conf file.  You will have to edit that
file and comment out the line that begins ...

  preprocessor conversation:

... and also the lines that begin ...

  preprocessor portscan2:
  preprocessor portscan2-ignorehosts:
  etc.

... if you are using them.  Then restart Snort and all should be well.

I'm not being sarcastic here at all, but may I suggest that a careful
perusal of the manual would be very useful?  It isn't hard to master
Snort rule and configuration syntax, and there are good explanations
of the purposes of the various files associated with Snort.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list