Snort mailing list archives

Re: ssp_conversion BAD IP protocol, why?

From: Neil Dickey <neil () geol niu edu>
Date: Mon, 5 May 2003 09:14:09 -0500 (CDT)


"Mike Koponick" <mkoponick () redhawk info> wrote asking:

I seem to be having a reoccurring issue with Snort. I receive millions
of these messages in my snort log. I tried commenting out the SID (118)
in the gen-msg file, but no go.


That's correct.  The "gen-msg" file just provides the messages snort
prints in between the [**] flags in the alerts file.  It has no effect
whatever on what snort actually detects.

Does anyone know how I can get rid of these things? They seem to report
on packets that are typical on the network.

05/05-06:40:45.325111  [**] [118:1:1] (spp_conversation) Bad IP
protocol! [**] {UDP} xxx.xxx.xxx.xxx:514 -> xxx.xxx.xxx.xxx:514


"spp" stands for "Snort Pre-Processor".  When you see it in an alert
message, that means the alert was generated by one of the preprocessors
you have enabled in the snort.conf file.  You will have to edit that
file and comment out the line that begins ...

  preprocessor conversation:

... and also the lines that begin ...

  preprocessor portscan2:
  preprocessor portscan2-ignorehosts:
  etc.

... if you are using them.  Then restart Snort and all should be well.

I'm not being sarcastic here at all, but may I suggest that a careful
perusal of the manual would be very useful?  It isn't hard to master
Snort rule and configuration syntax, and there are good explanations
of the purposes of the various files associated with Snort.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ssp_conversion BAD IP protocol, why? Mike Koponick (May 05)
- Re: ssp_conversion BAD IP protocol, why? Erek Adams (May 05)
- <Possible follow-ups>
- Re: ssp_conversion BAD IP protocol, why? Neil Dickey (May 05)
- RE: ssp_conversion BAD IP protocol, why? Mike Koponick (May 06)