[Snort-users] Looking for snort.conf with new preprocessor info

Bill Warren bwarren at ...12173...
Mon Jul 26 11:34:15 EDT 2004


I installed 2.1.3 from tar then 2.2 from tar.

Also, I have the line  "preprocessor flow: stats_interval 0 hash 2" in 
my snort.conf file


Harper, Patrick wrote:

>How did you upgrade? This can make a difference
>
>Look in the source tarball and you will find the new snort.conf, it also
>comes in the  RPM.  
>
># Configure Flow tracking module
># -------------------------------
>#
># The Flow tracking module is meant to start unifying the state keeping
># mechanisms of snort into a single place. Right now, only a portscan
>detector
># is implemented but in the long term,  many of the stateful subsystems
>of
># snort will be migrated over to becoming flow plugins. This must be
>enabled
># for flow-portscan to work correctly.
>#
># See README.flow for additional information
>#
>preprocessor flow: stats_interval 0 hash 2
>
>-----Original Message-----
>From: Bill Warren [mailto:bwarren at ...12173...] 
>Sent: Monday, July 26, 2004 12:47 PM
>To: Harper, Patrick; snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor
>info
>
>I am running Debian Woody with Snort 2.0.0 and nothing else and it is
>running fine.  It would catch all the portscans.  Now that I have
>installed 2.2 rc1 it does not find them.  It starts with no errors.  
>Here is what I get from my syslog.
>
>Jul 26 12:42:38 optivel-mgmt snort: Writing PID "21721" to file
>"/var/run//snort_eth0.pid"
>Jul 26 12:42:38 optivel-mgmt snort: HttpInspect Config:
>Jul 26 12:42:38 optivel-mgmt snort:     GLOBAL CONFIG
>Jul 26 12:42:38 optivel-mgmt snort:       Max Pipeline Requests:    0
>Jul 26 12:42:38 optivel-mgmt snort:       Inspection Type:          
>STATELESS
>Jul 26 12:42:38 optivel-mgmt snort:       Detect Proxy Usage:       NO
>Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Filename: 
>/etc/snort/etc/unicode.map
>Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Codepage: 1252
>Jul 26 12:42:38 optivel-mgmt snort: rpc_decode arguments:
>Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode RPC on: 111
>32771
>Jul 26 12:42:38 optivel-mgmt snort:     alert_fragments: INACTIVE
>Jul 26 12:42:38 optivel-mgmt snort:     alert_large_fragments: ACTIVE
>Jul 26 12:42:38 optivel-mgmt snort:     alert_incomplete: ACTIVE
>Jul 26 12:42:38 optivel-mgmt snort:     alert_multiple_requests: ACTIVE
>Jul 26 12:42:38 optivel-mgmt snort: telnet_decode arguments:
>Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode telnet on: 21 23
>
>25 119
>Jul 26 12:42:38 optivel-mgmt snort: Conversation Config:
>Jul 26 12:42:38 optivel-mgmt snort:    KeepStats: 0
>Jul 26 12:42:38 optivel-mgmt snort:    Conv Count: 3000
>Jul 26 12:42:38 optivel-mgmt snort:    Timeout   : 60
>Jul 26 12:42:38 optivel-mgmt snort:    Alert Odd?: 0
>Jul 26 12:42:38 optivel-mgmt snort:    Allowed IP Protocols:
>Jul 26 12:42:38 optivel-mgmt snort:  All Jul 26 12:42:38 optivel-mgmt
>snort:
>Jul 26 12:42:38 optivel-mgmt snort: Portscan2 config:
>Jul 26 12:42:38 optivel-mgmt snort:     log: /var/log/snort/scan.log
>Jul 26 12:42:38 optivel-mgmt snort:     scanners_max: 256
>Jul 26 12:42:38 optivel-mgmt snort:     targets_max: 1024
>Jul 26 12:42:38 optivel-mgmt snort:     target_limit: 5
>Jul 26 12:42:38 optivel-mgmt snort:     port_limit: 20
>Jul 26 12:42:38 optivel-mgmt snort:     timeout: 60
>Jul 26 12:42:38 optivel-mgmt snort: Warning: 
>/etc/snort/etc/../rules/web-misc.rules (396) => flowbits without flow.  
>flow must be enabled for this plugin.
>Jul 26 12:42:38 optivel-mgmt last message repeated 2 times Jul 26
>12:42:38 optivel-mgmt snort: Warning: 
>/etc/snort/etc/../rules/web-misc.rules (397) => flowbits without flow.  
>flow must be enabled for this plugin.
>
>I see that there is a problem with the flowbits.  That is why I had did
>something wrong with the snort.conf file.  Any ideas?
>
>Thanks,
>Bill
>
>
>Harper, Patrick wrote:
>
>  
>
>>What OS are you running?  How did you install (binary for windows, RPM,
>>Source)  a little more info is needed please
>>
>>-----Original Message-----
>>From: Bill Warren [mailto:bwarren at ...12173...]
>>Sent: Monday, July 26, 2004 9:04 AM
>>To: snort-users at lists.sourceforge.net
>>Subject: [Snort-users] Looking for snort.conf with new preprocessor 
>>info
>>
>>Hello All,
>>I just updated from Snort 2.0.0 to 2.2 and I need the new snort.conf 
>>with preprocessor info.
>>Thanks,
>>Bill
>>
>> 
>>
>>    
>>
>
>  
>

-- 

**********************************
Bill Warren
Optivel, Inc.
E-mail: bwarren at ...12173...
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************




More information about the Snort-users mailing list