[Snort-users] Looking for snort.conf with new preprocessor info

Bill Warren bwarren at ...12173...
Mon Jul 26 12:12:21 EDT 2004


This is my snort.conf.

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH ../rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
include classification.config
include reference.config

Jeff Dell wrote:

>If you are using the proper config, you should have seen the following when
>starting snort:
>
>,-----------[Flow Config]----------------------
>| Stats Interval:  0
>| Hash Method:     2
>| Memcap:          10485760
>| Rows  :          4099
>| Overhead Bytes:  16400(%0.16)
>`----------------------------------------------
>
>I would double check your config because I didn't see that in your log that
>you sent.
>
>Jeff
> 
>
>-----Original Message-----
>From: Bill Warren [mailto:bwarren at ...12173...] 
>Sent: Monday, July 26, 2004 2:54 PM
>To: Jeff Dell
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor info
>
>Did that.
>
>Jeff Dell wrote:
>
>  
>
>>You must enable the flow preprocessor. Example:
>>
>>#preprocessor flow: stats_interval 0 hash 2 
>>
>>Should be:
>>
>>preprocessor flow: stats_interval 0 hash 2
>>
>>-----Original Message-----
>>From: snort-users-admin at lists.sourceforge.net
>>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Bill Warren
>>Sent: Monday, July 26, 2004 1:47 PM
>>To: Harper, Patrick; snort-users at lists.sourceforge.net
>>Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor
>>    
>>
>info
>  
>
>>I am running Debian Woody with Snort 2.0.0 and nothing else and it is  
>>running fine.  It would catch all the portscans.  Now that I have 
>>installed 2.2 rc1 it does not find them.  It starts with no errors.  
>>Here is what I get from my syslog.
>>
>>Jul 26 12:42:38 optivel-mgmt snort: Writing PID "21721" to file 
>>"/var/run//snort_eth0.pid"
>>Jul 26 12:42:38 optivel-mgmt snort: HttpInspect Config:
>>Jul 26 12:42:38 optivel-mgmt snort:     GLOBAL CONFIG
>>Jul 26 12:42:38 optivel-mgmt snort:       Max Pipeline Requests:    0
>>Jul 26 12:42:38 optivel-mgmt snort:       Inspection Type:          
>>STATELESS
>>Jul 26 12:42:38 optivel-mgmt snort:       Detect Proxy Usage:       NO
>>Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Filename: 
>>/etc/snort/etc/unicode.map
>>Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Codepage: 1252
>>Jul 26 12:42:38 optivel-mgmt snort: rpc_decode arguments:
>>Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode RPC on: 111 32771
>>Jul 26 12:42:38 optivel-mgmt snort:     alert_fragments: INACTIVE
>>Jul 26 12:42:38 optivel-mgmt snort:     alert_large_fragments: ACTIVE
>>Jul 26 12:42:38 optivel-mgmt snort:     alert_incomplete: ACTIVE
>>Jul 26 12:42:38 optivel-mgmt snort:     alert_multiple_requests: ACTIVE
>>Jul 26 12:42:38 optivel-mgmt snort: telnet_decode arguments:
>>Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode telnet on: 21 23 
>>25 119
>>Jul 26 12:42:38 optivel-mgmt snort: Conversation Config:
>>Jul 26 12:42:38 optivel-mgmt snort:    KeepStats: 0
>>Jul 26 12:42:38 optivel-mgmt snort:    Conv Count: 3000
>>Jul 26 12:42:38 optivel-mgmt snort:    Timeout   : 60
>>Jul 26 12:42:38 optivel-mgmt snort:    Alert Odd?: 0
>>Jul 26 12:42:38 optivel-mgmt snort:    Allowed IP Protocols:
>>Jul 26 12:42:38 optivel-mgmt snort:  All
>>Jul 26 12:42:38 optivel-mgmt snort:
>>Jul 26 12:42:38 optivel-mgmt snort: Portscan2 config:
>>Jul 26 12:42:38 optivel-mgmt snort:     log: /var/log/snort/scan.log
>>Jul 26 12:42:38 optivel-mgmt snort:     scanners_max: 256
>>Jul 26 12:42:38 optivel-mgmt snort:     targets_max: 1024
>>Jul 26 12:42:38 optivel-mgmt snort:     target_limit: 5
>>Jul 26 12:42:38 optivel-mgmt snort:     port_limit: 20
>>Jul 26 12:42:38 optivel-mgmt snort:     timeout: 60
>>Jul 26 12:42:38 optivel-mgmt snort: Warning: 
>>/etc/snort/etc/../rules/web-misc.rules (396) => flowbits without flow.  
>>flow must be enabled for this plugin.
>>Jul 26 12:42:38 optivel-mgmt last message repeated 2 times
>>Jul 26 12:42:38 optivel-mgmt snort: Warning: 
>>/etc/snort/etc/../rules/web-misc.rules (397) => flowbits without flow.  
>>flow must be enabled for this plugin.
>>
>>I see that there is a problem with the flowbits.  That is why I had did 
>>something wrong with the snort.conf file.  Any ideas?
>>
>>Thanks,
>>Bill
>>
>>
>>Harper, Patrick wrote:
>>
>> 
>>
>>    
>>
>>>What OS are you running?  How did you install (binary for windows, RPM,
>>>Source)  a little more info is needed please 
>>>
>>>      
>>>
>
>
>
>
>  
>

-- 

**********************************
Bill Warren
Optivel, Inc.
E-mail: bwarren at ...12173...
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************




More information about the Snort-users mailing list