[Snort-users] troubleshooting snort

Russ Combs rcombs at ...1935...
Tue Jun 4 08:21:45 EDT 2013


You can't remove all the line continuations.  Just the one I mentioned.  It
should look like this:

preprocessor stream5_global: track_tcp yes, \
   track_udp yes,  \
   track_icmp no,  \
   max_tcp 262144, \
   max_udp 131072
#   max_active_responses 2
#   min_response_seconds 5

On Tue, Jun 4, 2013 at 8:12 AM, soukaina mzerda <soukaina.mz at ...11827...>wrote:

> # Step #5: Configure preprocessors
> # For more information, see the Snort Manual, Configuring Snort -
> Preprocessors
> ###################################################
>
> # GTP Control Channle Preprocessor. For more information, see README.GTP
> # preprocessor gtp: ports { 2123 3386 2152 }
>
> # Inline packet normalization. For more information, see README.normalize
> # Does nothing in IDS mode
>  preprocessor normalize_ip4
>  preprocessor normalize_tcp: ips ecn stream
>  preprocessor normalize_icmp4
>  preprocessor normalize_ip6
>  preprocessor normalize_icmp6
>
> # Target-based IP defragmentation.  For more inforation, see README.frag3
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy linux timeout 180 detect_anomalies
> # policy windows detect_anomalies timeout 180 overlap_limit 10
> min_fragment_length 100
>
> # Target-Based stateful inspection/stream reassembly.  For more
> inforation, see README.stream5
> preprocessor stream5_global: track_tcp yes,
>    track_udp yes,
>    track_icmp no,
>    max_tcp 262144,
>    max_udp 131072
>    max_active_responses 2
>     min_response_seconds 5
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> preprocessor stream5_udp: timeout 180, ignore_any_rules
>
> # performance statistics.  For more information, see the Snort Manual,
> Configuring Snort - Preprocessors - Performance Monitor
> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
> 10000
>
> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
>
>
> On Tue, Jun 4, 2013 at 2:08 PM, Russ Combs <rcombs at ...1935...> wrote:
>
>> Send your updated conf, at least the stream5 parts.
>>
>>
>> On Tue, Jun 4, 2013 at 8:06 AM, soukaina mzerda <soukaina.mz at ...11827...>wrote:
>>
>>> I did so and I got another error :/ ....Missing parameter in Stream5
>>> Global config !
>>> :s :s
>>>
>>>
>>> On Tue, Jun 4, 2013 at 1:56 PM, Russ Combs <rcombs at ...1935...>wrote:
>>>
>>>> The comments (with #) and line continuations (with \) don't mix well.
>>>>
>>>> Remove the ", \" at the end of the line with max_udp and uncomment the
>>>> stuff you previously commented (stream5_tcp and stream5_udp).
>>>>
>>>>
>>>> On Tue, Jun 4, 2013 at 7:49 AM, Seth Dunn <seth at ...16266...> wrote:
>>>>
>>>>> Looking at your snort.conf file, try putting a space between the '#'
>>>>> and the first character.
>>>>> Also you can try commenting out  the preprocessor lines also.****
>>>>>
>>>>> # preprocessor stream5_tcp****
>>>>>
>>>>> # preprocessor stream5_udp****
>>>>>
>>>>> ** **
>>>>>
>>>>> # Does nothing in IDS mode****
>>>>>
>>>>> # preprocessor normalize_ip4****
>>>>>
>>>>> # preprocessor normalize_tcp: ips ecn stream****
>>>>>
>>>>> # preprocessor normalize_icmp4****
>>>>>
>>>>> # preprocessor normalize_ip6****
>>>>>
>>>>> # preprocessor normalize_icmp6****
>>>>>
>>>>> ** **
>>>>>
>>>>> # Target-based IP defragmentation.  For more inforation, see
>>>>> README.frag3****
>>>>>
>>>>> preprocessor frag3_global: max_frags 65536****
>>>>>
>>>>> preprocessor frag3_engine: policy linux timeout 180 detect_anomalies
>>>>> ****
>>>>>
>>>>>  #policy windows detect_anomalies timeout 180 overlap_limit 10
>>>>> min_fragment_length 100 ****
>>>>>
>>>>> ** **
>>>>>
>>>>> # Target-Based stateful inspection/stream reassembly.  For more
>>>>> inforation, see README.stream5****
>>>>>
>>>>> preprocessor stream5_global: track_tcp yes, \****
>>>>>
>>>>>    track_udp yes, \****
>>>>>
>>>>>    track_icmp no, \ ****
>>>>>
>>>>>    max_tcp 262144, \****
>>>>>
>>>>>    max_udp 131072, \****
>>>>>
>>>>>    #max_active_responses 2, \****
>>>>>
>>>>>    #min_response_seconds 5 ****
>>>>>
>>>>> # preprocessor stream5_tcp: policy first, use_static_footprint_sizes,
>>>>> ****
>>>>>
>>>>> ports client*****
>>>>>
>>>>> * 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110
>>>>> 111****
>>>>>
>>>>> 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668
>>>>> 6669****
>>>>>
>>>>>  7000 8000*****
>>>>>
>>>>> * 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778
>>>>> ****
>>>>>
>>>>> 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900
>>>>> 7901****
>>>>>
>>>>>  7902 7903 790*****
>>>>>
>>>>> *4 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
>>>>> 7918****
>>>>>
>>>>> 7919 7920*****
>>>>>
>>>>> # preprocessor stream5_udp: timeout 180, ignore_any_rules****
>>>>>
>>>>> ** **
>>>>>
>>>>> *From:* Russ Combs [mailto:rcombs at ...1935...]
>>>>> *Sent:* Tuesday, June 04, 2013 7:18 AM
>>>>> *To:* Seth Dunn
>>>>> *Cc:* soukaina mzerda; snort-users at lists.sourceforge.net
>>>>> *Subject:* Re: [Snort-users] troubleshooting snort****
>>>>>
>>>>> ** **
>>>>>
>>>>> Look carefully at stream5_global and make sure that there isn't a line
>>>>> continuation ( '\' ) at the end of those options causing stream5_tcp to
>>>>> appear as one of them.  stream5_global and stream5_tcp must be separate.
>>>>> ****
>>>>>
>>>>> On Tue, Jun 4, 2013 at 7:05 AM, Seth Dunn <seth at ...16266...> wrote:****
>>>>>
>>>>> Go to that line in your snort.conf file and comment it out, and try
>>>>> again****
>>>>>
>>>>>  ****
>>>>>
>>>>> *From:* soukaina mzerda [mailto:soukaina.mz at ...11827...]
>>>>> *Sent:* Tuesday, June 04, 2013 7:03 AM
>>>>> *To:* snort-users at lists.sourceforge.net
>>>>> *Subject:* [Snort-users] troubleshooting snort****
>>>>>
>>>>>  ****
>>>>>
>>>>> hi ,****
>>>>>
>>>>> I've configured snort on ubuntu with all pakeges needed , but I'm
>>>>> facing here some troubles while runnin snort on IDS mode saying that**
>>>>> **
>>>>>
>>>>> ( ERROR: /etc/snort/etc/snort.conf(283) => Unknown Stream5 global
>>>>> option (preprocessor stream5_tcp: policy first)****
>>>>>
>>>>> Fatal Error, Quitting..)****
>>>>>
>>>>> Please I need help , I've done all the configuration and I have to
>>>>> complete this by the end of the day heeeeeeeeeeelp!****
>>>>>
>>>>>  ****
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> How ServiceNow helps IT people transform IT departments:
>>>>> 1. A cloud service to automate IT design, transition and operations
>>>>> 2. Dashboards that offer high-level views of enterprise services
>>>>> 3. A single system of record for all IT processes
>>>>> http://p.sf.net/sfu/servicenow-d2d-j
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!****
>>>>>
>>>>> ** **
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130604/d128a0d6/attachment.html>


More information about the Snort-users mailing list