[Snort-users] troubleshooting snort

Russ Combs rcombs at ...1935...
Tue Jun 4 07:56:39 EDT 2013


The comments (with #) and line continuations (with \) don't mix well.

Remove the ", \" at the end of the line with max_udp and uncomment the
stuff you previously commented (stream5_tcp and stream5_udp).

On Tue, Jun 4, 2013 at 7:49 AM, Seth Dunn <seth at ...16266...> wrote:

> Looking at your snort.conf file, try putting a space between the '#' and
> the first character.
> Also you can try commenting out  the preprocessor lines also.****
>
> # preprocessor stream5_tcp****
>
> # preprocessor stream5_udp****
>
> ** **
>
> # Does nothing in IDS mode****
>
> # preprocessor normalize_ip4****
>
> # preprocessor normalize_tcp: ips ecn stream****
>
> # preprocessor normalize_icmp4****
>
> # preprocessor normalize_ip6****
>
> # preprocessor normalize_icmp6****
>
> ** **
>
> # Target-based IP defragmentation.  For more inforation, see README.frag3*
> ***
>
> preprocessor frag3_global: max_frags 65536****
>
> preprocessor frag3_engine: policy linux timeout 180 detect_anomalies  ****
>
>  #policy windows detect_anomalies timeout 180 overlap_limit 10
> min_fragment_length 100 ****
>
> ** **
>
> # Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5****
>
> preprocessor stream5_global: track_tcp yes, \****
>
>    track_udp yes, \****
>
>    track_icmp no, \ ****
>
>    max_tcp 262144, \****
>
>    max_udp 131072, \****
>
>    #max_active_responses 2, \****
>
>    #min_response_seconds 5 ****
>
> # preprocessor stream5_tcp: policy first, use_static_footprint_sizes, ****
>
> ports client*****
>
> * 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111*
> ***
>
> 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669
> ****
>
> 7000 8000*****
>
> * 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778****
>
> 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901*
> ***
>
> 7902 7903 790*****
>
> *4 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918**
> **
>
> 7919 7920*****
>
> # preprocessor stream5_udp: timeout 180, ignore_any_rules****
>
> ** **
>
> *From:* Russ Combs [mailto:rcombs at ...1935...]
> *Sent:* Tuesday, June 04, 2013 7:18 AM
> *To:* Seth Dunn
> *Cc:* soukaina mzerda; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] troubleshooting snort****
>
> ** **
>
> Look carefully at stream5_global and make sure that there isn't a line
> continuation ( '\' ) at the end of those options causing stream5_tcp to
> appear as one of them.  stream5_global and stream5_tcp must be separate.**
> **
>
> On Tue, Jun 4, 2013 at 7:05 AM, Seth Dunn <seth at ...16266...> wrote:****
>
> Go to that line in your snort.conf file and comment it out, and try again*
> ***
>
>  ****
>
> *From:* soukaina mzerda [mailto:soukaina.mz at ...11827...]
> *Sent:* Tuesday, June 04, 2013 7:03 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] troubleshooting snort****
>
>  ****
>
> hi ,****
>
> I've configured snort on ubuntu with all pakeges needed , but I'm facing
> here some troubles while runnin snort on IDS mode saying that****
>
> ( ERROR: /etc/snort/etc/snort.conf(283) => Unknown Stream5 global option
> (preprocessor stream5_tcp: policy first)****
>
> Fatal Error, Quitting..)****
>
> Please I need help , I've done all the configuration and I have to
> complete this by the end of the day heeeeeeeeeeelp!****
>
>  ****
>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130604/430f49ed/attachment.html>


More information about the Snort-users mailing list