[Snort-users] Snort does not like default global telnet config??

Joe Pampel jpampel at ...14829...
Tue Apr 20 22:12:52 EDT 2010

Hi and thanks!

I think what you are saying is that snort.conf was not updated and has stale keywords?

I did a diff between the one in the build folders and the production one and there are some interesting changes.
Production one looked stale..

So I set up a new snort.conf based on the one in the install files and now it is still failing with the same error.
At least I am consistent...

It has the SSL config now which looks valid:  (per Page #66-67 in manual)

preprocessor ssl: noinspect_encrypted, trustservers

When I try to run it, it still claims that:

....Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900
ERROR: /usr/local/etc/snort.conf(406) => Invalid keyword 'encrypted_traffic' for 'global' configuration.
Fatal Error, Quitting..

I read the snort.conf file and looked at the manual again and I honestly don't see what else I would need to config to get it at least running. The defaults look like they should work without human intervention.

should I go back to flipping burgers now? ;)

On Apr 20, 2010, at 7:53 PM, Russell Fulton wrote:

> On 21/04/2010, at 11:12 AM, Joe Pampel wrote:
>> Hi,
>> I upgraded a sensor which was at Snort 2.8.4 to the new version
>> This is on Solaris 10, x86.  I am logging remotely; there is no local mysql etc.
>> It has been running snort stably for over a year now.
>> Now when I try to run Snort, it chokes on the global telnet config, but there is nothing wrong with it - it is the default.
> nothing wrong with the telnet config -- what you are missing is the new ssl config. see README.ssl
> They have just added the new keywords to the rules.
> R

The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).

More information about the Snort-users mailing list