[Snort-users] Snort Stream5 Support

Russ Combs rcombs at ...1935...
Tue May 22 11:30:39 EDT 2012


Looks like the conf you are telling snort to use is /tmp/test.rule which,
per your cat output, does not include the stream5 config, etc.

On Tue, May 22, 2012 at 10:22 AM, Turnbough, Bradley E. <
bturnbough at ...15650...> wrote:

>  Very new to snort.
>
>
>
> I seem to be having some issues with getting Stream5 support up and
> running.  Here is the rule:
>
>
>
> [root at ...3360...]# cat /tmp/test.rule
>
> log tcp any any ->  xx.xx.xx.xx/29 23
>
> alert tcp any any -> xx.xx.xx.xx/29 22 (\
>
> msg:"Potential SSH Brute Force";\
>
> flow:to_server;\
>
> flags:S;\
>
> threshold:type threshold, track by_src, count 3, seconds 60;\
>
> classtype:attempted-dos;\
>
> sid:2001218;\
>
> rev:4;\
>
> resp:rst-all;\
>
> )
>
>
>
> Using the following options to startup:
>
>
>
> snort -d -i eth0 -c /tmp/test.rule -l /tmp/log
>
>
>
> Produces a nasty error:
>
>
>
> Running in IDS mode
>
>
>
>         --== Initializing Snort ==--
>
> Initializing Output Plugins!
>
> Initializing Preprocessors!
>
> Initializing Plug-ins!
>
> Parsing Rules file "/tmp/test.rule"
>
> Tagged Packet Limit: 256
>
> Log directory = /tmp/log
>
>
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Initializing rule chains...
>
> ERROR: /tmp/test.rule(11): Stream5 must be enabled to use the 'to_server'
> option.
>
> Fatal Error, Quitting..
>
>
>
>
>
>
>
> Review of the snort.conf file, it appears I DO have Stream5 support
> enabled:
>
>
>
> preprocessor stream5_global: track_tcp yes, \
>
>    track_udp yes, \
>
>    track_icmp no, \
>
>    max_tcp 262144, \
>
>    max_udp 131072, \
>
>    max_active_responses 2, \
>
>    min_response_seconds 5
>
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
>
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>
>     ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139
> 143 \
>
>         161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666
> 6667 6668 6669 \
>
>         7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778
> 32779, \
>
>     ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995
> 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802
> 7777 7779 \
>
>         7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912
> 7913 7914 7915 7916 \
>
>         7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180
> 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
>
> preprocessor stream5_udp: timeout 180
>
>
>
>
>
>
>
> Why am I getting the error?
>  This e-mail transmission contains information that is confidential and
> may be privileged. It is intended only for the addressee(s) named above. If
> you receive this e-mail in error, please do not read, copy or disseminate
> it in any manner. If you are not the intended recipient, any disclosure,
> copying, distribution or use of the contents of this information is
> prohibited. Please reply to the message immediately by informing the sender
> that the message was misdirected. After replying, please erase it from your
> computer system. Your assistance in correcting this error is appreciated.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120522/453c9f5e/attachment.html>


More information about the Snort-users mailing list