[Snort-users] Problem with stream5

Alex Kirk akirk at ...1935...
Thu Nov 18 13:28:51 EST 2010


That's because you're completely missing the options to your stream5_global
preprocessor. The VRT's standard config has this line for that:

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
track_icmp no max_active_responses 2 min_response_seconds 5

If you actually fill that line out, it should work just fine.

2010/11/18 Fábio Ferrão <ferrao04 at ...11827...>

> Dears,
>
> I'm with a problem about stream5 in initialization of snort.
> Below follow the logs:
>
> *Verifying Preprocessor Configurations!*
> *Nov 18 15:22:43 badejo snort[22444]: WARNING: Stream5 TCP default policy
> not specified in configuration*
> *Nov 18 15:22:43 badejo snort[22444]: WARNING: Stream5 TCP misconfigured
> (policy 0)*
> *Nov 18 15:22:43 badejo snort[22444]: Warning: 'ignore_any_rules' option
> for Stream5 UDP disabled because of UDP rule with flow or flowbits option*
> *Nov 18 15:22:43 badejo snort[22444]: WARNING: Stream5 ICMP misconfigured
> (policy 0)*
> *Nov 18 15:22:43 badejo snort[22444]: FATAL ERROR: Stream5 not properly
> configured... exiting*
>
>
> Bellow follow my stream5 configuration:
>
> *# Target-Based stateful inspection/stream reassembly.  For more
> information, see README.stream5*
> *preprocessor stream5_global:*
> *preprocessor stream5_tcp: policy windows, timeout 60, bind_to X.X.X.X/XX,
> detect_anomalies, check_session_hijacking, use_static_footprint_sizes, ports
> clie*
> *nt 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110
> 111 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668
> 6669 7000 80*
> *00 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
> 7902 7903 7*
> *904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
> 7919 7920*
> *preprocessor stream5_tcp: policy linux, timeout 60, bind_to X.X.X.X/XX,
> detect_anomalies, check_session_hijacking, use_static_footprint_sizes, ports
> client*
> * 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111
> 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669
> 7000 8000*
> * 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
> 7902 7903 790*
> *4 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
> 7919 7920*
> *preprocessor stream5_udp: timeout 60*
>
>
> What am I missing?
>
> Can somebody help me?
>
> Thanks.
>
> --
> Fábio Ferrão Ribeiro
> MCSO - Módulo Certified Security Officer
> ACPCF - Axur Certified Professional Computer Forensics
> Auditor Líder em Segurança da Informação
>
> "E conhecereis a verdade e a verdade vos libertará".  João 8.32
> "And you going to know the truth and the truth going to become you free".
>  John 8.32
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101118/4c779e27/attachment.html>


More information about the Snort-users mailing list