[Snort-users] FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2

Matt Kettler mkettler at ...4108...
Mon Sep 29 10:52:11 EDT 2003


At 10:24 AM 9/29/2003, Peters, Michael D. wrote:
>I would like to turn the portscan feature on. This is what I have in the
>config file enabled.
>
>preprocessor portscan: $HOME_NET 5 3
>/var/snort/portscan/home/home-portscan.log
>preprocessor portscan-ignorehosts:  xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.xxx/32
>preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
>port_limit 20, timeout 60
>preprocessor portscan2-ignorehosts: xxx.xxx.xxx.xxx/12
>
>I get this error in syslog: "FATAL ERROR: Please activate spp_conversation
>before trying to activate spp_portscan2"
>
>Can someone please point out to me what I am doing wrong or missing in the
>config?

Well, I hate be blunt, but the error message tells you exactly what to do, 
turn on spp_conversation.

What more explanation do you need?

The portscan2 preprocessor REQUIRES the spp_conversation preprocessor. It 
cannot work without it. You don't have it enabled, so snort fails.

Look for it in the sample spp_conversation lines in the snort.conf that 
comes in the snort tarball and enable it. Make sure it comes before 
portscan2 in your snort.conf. 





More information about the Snort-users mailing list