<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I have recently installed snort 2.8.0.2 and I no longer get very many
portscan alerts when compared to my older version, 2.3.3.<br>
Looking at the older alert files, I see records such as the one below.
These are missing from my 2.8.0.2 output:<br>
<br>
alert from 2.3.3 missing from 2.8.0.2:<br>
      Mar 31 12:24:19 lyta snort: [122:5:0] (portscan) TCP Filtered
Portscan {PROTO255} 128.128.100.76 -> 71.39.148.246<br>
<br>
The preprocessors active in my 2.8.0.2 and 2.3.3 versions are listed
below. The flow-portscan preprocessor in the 2.8 version is omitted in
the sample install file, since stream5 was supposed to replace it.<br>
Can anyone tell me if they have installed 2.8 and if they are still
getting all the portscan records. I find that the new version does not
detect most portscans at this time-<br>
<br>
Thanks for any help,<br>
Fritz<br>
<br>
================== ACTIVE PREPROCESSORS in 2.8.0.2
INSTALL==================<br>
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/<br>
preprocessor frag3_global: max_frags 65536<br>
preprocessor frag3_engine: policy first detect_anomalies<br>
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \<br>
preprocessor stream5_tcp: policy first, use_static_footprint_sizes<br>
preprocessor http_inspect: global \<br>
preprocessor http_inspect_server: server default \<br>
preprocessor rpc_decode: 111 32771<br>
preprocessor bo<br>
preprocessor ftp_telnet: global \<br>
preprocessor ftp_telnet_protocol: telnet \<br>
preprocessor ftp_telnet_protocol: ftp server default \<br>
preprocessor ftp_telnet_protocol: ftp client default \<br>
preprocessor smtp: \<br>
preprocessor sfportscan: proto  { all } \<br>
preprocessor dcerpc: \<br>
preprocessor dns: \<br>
<br>
<br>
================== ACTIVE PREPROCESSORS in 2.3.3
INSTALL==================<br>
preprocessor flow: stats_interval 0 hash 2<br>
preprocessor frag2<br>
preprocessor stream4: disable_evasion_alerts detect_scans<br>
preprocessor stream4_reassemble<br>
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 <br>
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500<br>
preprocessor rpc_decode: 111 32771<br>
preprocessor bo<br>
preprocessor telnet_decode<br>
preprocessor flow-portscan: \<br>
preprocessor sfportscan: proto  { all } \<br>
<br>
<br>
Leon wrote:<br>
<blockquote cite="mid4155F6CD-026C-4DE2-B00F-5CDF8087DA6C@...14165..."
 type="cite">Hi.
  <div><br>
  </div>
  <div>You are using a snort.conf from an old version (2.3) of Snort,
use the one that came with the 2.8 source and you should get on fine.
  <div>I guess that you installed an older version of snort from the
apt repository.</div>
  <div><br>
  </div>
  <div>You will want to remove the old versions and then use the
snort.conf, and associated stuff from 2.8. You will find them under
etc/ in the tarball.</div>
  <div><br>
  </div>
  <div>-Leon</div>
  <div><br>
  </div>
  <div>
  <div> </div>
  <div><br>
  </div>
  <div>  <br>
  <div>On 31 Mar 2008, at 14:33, jose wilter frazao wrote:<br
 class="Apple-interchange-newline">
  <blockquote type="cite">Hi,<br>
I change parameter frag2 to frag3 in the /etc/snort/snot.conf, but is
showing the next message:<br>
    <br>
Tagged Packet Limit: 256<br>
/etc/snort/snort.conf(214) unknown dynamic preprocessor "frag3"<br>
/etc/snort/snort.conf(360) unknown dynamic preprocessor "telnet_decode"<br>
/etc/snort/snort.conf(500) unknown dynamic preprocessor "xlink2state"<br>
ERROR: Misconfigured dynamic preprocessor(s)<br>
Fatal Error, Quitting..<br>
    <br>
    <br>
    <div><span class="gmail_quote">2008/3/29, Leon <<a
 href="mailto:seclists@...14165...">seclists@...14165...</a>>:</span>
    <blockquote class="gmail_quote"
 style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
      <div style="">Hi 
      <div><br>
      </div>
      <div>Looks like there are some problems with your snort.conf</div>
      <span class="q">
      <div><br>
      </div>
      <div>
      <blockquote type="cite"><span style="font-family: Arial;">Mar 28
09:23:17 wilter-ubuntu snort[24673]: /etc/snort/snort.conf(214) unknown
dynamic preprocessor "frag2"</span></blockquote>
      <br>
      </div>
      </span>
      <div>frag2 has been replaced with frag3, You shouldn't have it
enabled on line 214 of your snort.conf</div>
      <div><br>
      </div>
      <div>As for the other errors, post your snort.conf with the full
output of a snort -c /etc/snort/snort.conf -T and ill take a look.</div>
      <div><br>
      </div>
      <div>-Leon</div>
      <div> </div>
      <div><br>
      </div>
      <div>
      <div>
      <div><span class="e" id="q_118fc631eadefaa2_3">On 28 Mar 2008, at
17:45, jose wilter frazao wrote:<br>
      </span></div>
      <blockquote type="cite">
        <div><span class="e" id="q_118fc631eadefaa2_5">
        <div> Hello,</div>
        <div> </div>
        <div> I do downloaded of  snort from <a
 href="http://www.snort.com/" target="_blank"
 onclick="return top.js.OpenExtLink(window,event,this)">www.snort.com</a>
and compiled the Snort with support to Mysql, and I installed in the
Ubuntu 7.04.<br>
When I insert the command "/usr/local/bin/snort -D -c
/etc/snort/snort.conf" for start the daemon of the Snort show the
massage in the "/var/log/syslog":</div>
        <div>
        <p
 style="margin: 0cm 0cm 0pt; background: white none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">
        <span style="font-family: Arial;" lang="EN-US"></span> </p>
        <div style="margin: 0cm 0cm 0pt; background-color: white;"><span
 style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: /etc/snort/snort.conf(214) unknown dynamic preprocessor
"frag2"</span></div>
        <div style="margin: 0cm 0cm 0pt; background-color: white;"><span
 style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: /etc/snort/snort.conf(360) unknown dynamic preprocessor
"telnet_decode"</span></div>
        <div style="margin: 0cm 0cm 0pt; background-color: white;"><span
 style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: /etc/snort/snort.conf(500) unknown dynamic preprocessor
"xlink2state"</span></div>
        <div style="margin: 0cm 0cm 0pt; background-color: white;"><span
 style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: FATAL ERROR: Misconfigured dynamic preprocessor(s)</span></div>
        <p
 style="margin: 0cm 0cm 0pt; background: white none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">
        <span style="font-family: Arial;" lang="EN-US"></span> </p>
        <span style="font-family: Arial;" lang="EN-US">
        <div dir="ltr">What should I do to correct this problem?</div>
        </span>
        <p
 style="margin: 0cm 0cm 0pt; background: white none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">
        <span style="font-family: Arial;" lang="EN-US"></span> </p>
        </div>
        </span></div>
-------------------------------------------------------------------------<br>
Check out the new SourceForge.net Marketplace.<br>
It's the best place to buy or sell services for<br>
just about anything Open Source.<br>
        <a
 href="http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________"
 target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________</a><br>
Snort-users mailing list<br>
        <a href="mailto:Snort-users@lists.sourceforge.net"
 target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
        <a
 href="https://lists.sourceforge.net/lists/listinfo/snort-users"
 target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
        <a
 href="http://www.geocrawler.com/redir-sf.php3?list=snort-users"
 target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></blockquote>
      </div>
      <br>
      </div>
      </div>
    </blockquote>
    </div>
    <br>
    <span><snort.conf></span><span><output-snort></span></blockquote>
  </div>
  <br>
  </div>
  </div>
  </div>
  <pre wrap="">
<hr size="4" width="90%">
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
<a class="moz-txt-link-freetext" href="http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace">http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace</a></pre>
  <pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></pre>
</blockquote>
</body>
</html>