[Snort-users] Missing Portscanners in 2.8 - Flow-Portscan vs stream5

frederick sonnichsen fsonnichsen at ...315...
Mon Mar 24 15:42:40 EDT 2008


No. I tried it originally and snort failed with:
FATAL ERROR: Stream5 and flow cannot be used at the same time, as 
Stream5 provides the same functionality as flow.

Thanks!
Fritz


rmkml wrote:

> Hi Frederick,
> do you have enabled preprocessor flow on snort.conf ?
> Regards
> Rmkml
>
>
> On Mon, 24 Mar 2008, frederick sonnichsen wrote:
>
>> Date: Mon, 24 Mar 2008 15:22:17 -0400
>> From: frederick sonnichsen <fsonnichsen at ...315...>
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Missing Portscanners in 2.8 - Flow-Portscan vs 
>> stream5
>>
>> I have converted from 2.3.3 to 2.8.0.2.
>> Running both versions now, the newer version detects fewer portscans and
>> sweeps. I stated looking into the preprocessors:
>>
>> Per the doc, stream5 replaces stream4, and also the flow preprocessors.
>> However, due to the missing detection I decided to add back the
>> Flow-Portscan. When I do this I get the following message at snort 
>> startup:
>>      FATAL ERROR: /etc/snort/snort.conf(806) flow-portscan requires
>> spp_flow to be enabled!
>>
>> I cannnot find anything about the option spp_flow or how to turn it on.
>> Any ideas?
>> Thanks
>> Fritz
>>
>>
>> ------------------------------------------------------------------------- 
>>
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>





More information about the Snort-users mailing list