[Snort-users] Snort 220.127.116.11 does not like default global telnet config??
jesler at ...1935...
Tue Apr 20 23:28:39 EDT 2010
Can you post your snort.conf? Of course sanitized for your protection.
The ftp_telnet global config in my snort.conf is the following:
preprocessor ftp_telnet: global \
encrypted_traffic yes \
On Apr 20, 2010, at 7:12 PM, Joe Pampel wrote:
> Hi and thanks!
> I think what you are saying is that snort.conf was not updated and has stale keywords?
> I did a diff between the one in the build folders and the production one and there are some interesting changes.
> Production one looked stale..
> So I set up a new snort.conf based on the one in the install files and now it is still failing with the same error.
> At least I am consistent...
> It has the SSL config now which looks valid: (per Page #66-67 in manual)
> preprocessor ssl: noinspect_encrypted, trustservers
> When I try to run it, it still claims that:
> ....Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
> Sensitivity Level: Low
> Memcap (in bytes): 10000000
> Number of Nodes: 36900
> ERROR: /usr/local/etc/snort.conf(406) => Invalid keyword 'encrypted_traffic' for 'global' configuration.
> Fatal Error, Quitting..
> I read the snort.conf file and looked at the manual again and I honestly don't see what else I would need to config to get it at least running. The defaults look like they should work without human intervention.
> should I go back to flipping burgers now? ;)
> On Apr 20, 2010, at 7:53 PM, Russell Fulton wrote:
>> On 21/04/2010, at 11:12 AM, Joe Pampel wrote:
>>> I upgraded a sensor which was at Snort 2.8.4 to the new version 18.104.22.168
>>> This is on Solaris 10, x86. I am logging remotely; there is no local mysql etc.
>>> It has been running snort stably for over a year now.
>>> Now when I try to run Snort, it chokes on the global telnet config, but there is nothing wrong with it - it is the default.
>> nothing wrong with the telnet config -- what you are missing is the new ssl config. see README.ssl
>> They have just added the new keywords to the rules.
> The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users