[Snort-users] FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2
mkettler at ...4108...
Mon Sep 29 10:52:11 EDT 2003
At 10:24 AM 9/29/2003, Peters, Michael D. wrote:
>I would like to turn the portscan feature on. This is what I have in the
>config file enabled.
>preprocessor portscan: $HOME_NET 5 3
>preprocessor portscan-ignorehosts: xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.xxx/32
>preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
>port_limit 20, timeout 60
>preprocessor portscan2-ignorehosts: xxx.xxx.xxx.xxx/12
>I get this error in syslog: "FATAL ERROR: Please activate spp_conversation
>before trying to activate spp_portscan2"
>Can someone please point out to me what I am doing wrong or missing in the
Well, I hate be blunt, but the error message tells you exactly what to do,
turn on spp_conversation.
What more explanation do you need?
The portscan2 preprocessor REQUIRES the spp_conversation preprocessor. It
cannot work without it. You don't have it enabled, so snort fails.
Look for it in the sample spp_conversation lines in the snort.conf that
comes in the snort tarball and enable it. Make sure it comes before
portscan2 in your snort.conf.
More information about the Snort-users