[Snort-users] Looking for snort.conf with new preprocessor info

Harper, Patrick patrick.harper at ...11593...
Mon Jul 26 10:55:16 EDT 2004


How did you upgrade? This can make a difference

Look in the source tarball and you will find the new snort.conf, it also
comes in the  RPM.  

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan
detector
# is implemented but in the long term,  many of the stateful subsystems
of
# snort will be migrated over to becoming flow plugins. This must be
enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2

-----Original Message-----
From: Bill Warren [mailto:bwarren at ...12173...] 
Sent: Monday, July 26, 2004 12:47 PM
To: Harper, Patrick; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor
info

I am running Debian Woody with Snort 2.0.0 and nothing else and it is
running fine.  It would catch all the portscans.  Now that I have
installed 2.2 rc1 it does not find them.  It starts with no errors.  
Here is what I get from my syslog.

Jul 26 12:42:38 optivel-mgmt snort: Writing PID "21721" to file
"/var/run//snort_eth0.pid"
Jul 26 12:42:38 optivel-mgmt snort: HttpInspect Config:
Jul 26 12:42:38 optivel-mgmt snort:     GLOBAL CONFIG
Jul 26 12:42:38 optivel-mgmt snort:       Max Pipeline Requests:    0
Jul 26 12:42:38 optivel-mgmt snort:       Inspection Type:          
STATELESS
Jul 26 12:42:38 optivel-mgmt snort:       Detect Proxy Usage:       NO
Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Filename: 
/etc/snort/etc/unicode.map
Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Codepage: 1252
Jul 26 12:42:38 optivel-mgmt snort: rpc_decode arguments:
Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode RPC on: 111
32771
Jul 26 12:42:38 optivel-mgmt snort:     alert_fragments: INACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_large_fragments: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_incomplete: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_multiple_requests: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort: telnet_decode arguments:
Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode telnet on: 21 23

25 119
Jul 26 12:42:38 optivel-mgmt snort: Conversation Config:
Jul 26 12:42:38 optivel-mgmt snort:    KeepStats: 0
Jul 26 12:42:38 optivel-mgmt snort:    Conv Count: 3000
Jul 26 12:42:38 optivel-mgmt snort:    Timeout   : 60
Jul 26 12:42:38 optivel-mgmt snort:    Alert Odd?: 0
Jul 26 12:42:38 optivel-mgmt snort:    Allowed IP Protocols:
Jul 26 12:42:38 optivel-mgmt snort:  All Jul 26 12:42:38 optivel-mgmt
snort:
Jul 26 12:42:38 optivel-mgmt snort: Portscan2 config:
Jul 26 12:42:38 optivel-mgmt snort:     log: /var/log/snort/scan.log
Jul 26 12:42:38 optivel-mgmt snort:     scanners_max: 256
Jul 26 12:42:38 optivel-mgmt snort:     targets_max: 1024
Jul 26 12:42:38 optivel-mgmt snort:     target_limit: 5
Jul 26 12:42:38 optivel-mgmt snort:     port_limit: 20
Jul 26 12:42:38 optivel-mgmt snort:     timeout: 60
Jul 26 12:42:38 optivel-mgmt snort: Warning: 
/etc/snort/etc/../rules/web-misc.rules (396) => flowbits without flow.
flow must be enabled for this plugin.
Jul 26 12:42:38 optivel-mgmt last message repeated 2 times Jul 26
12:42:38 optivel-mgmt snort: Warning: 
/etc/snort/etc/../rules/web-misc.rules (397) => flowbits without flow.
flow must be enabled for this plugin.

I see that there is a problem with the flowbits.  That is why I had did
something wrong with the snort.conf file.  Any ideas?

Thanks,
Bill


Harper, Patrick wrote:

>What OS are you running?  How did you install (binary for windows, RPM,
>Source)  a little more info is needed please
>
>-----Original Message-----
>From: Bill Warren [mailto:bwarren at ...12173...]
>Sent: Monday, July 26, 2004 9:04 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Looking for snort.conf with new preprocessor 
>info
>
>Hello All,
>I just updated from Snort 2.0.0 to 2.2 and I need the new snort.conf 
>with preprocessor info.
>Thanks,
>Bill
>
>  
>

-- 

**********************************
Bill Warren
Optivel, Inc.
E-mail: bwarren at ...12173...
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************





Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. 







More information about the Snort-users mailing list