Snort mailing list archives
Re: FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 29 Sep 2003 13:46:29 -0400
At 10:24 AM 9/29/2003, Peters, Michael D. wrote:
I would like to turn the portscan feature on. This is what I have in the config file enabled. preprocessor portscan: $HOME_NET 5 3 /var/snort/portscan/home/home-portscan.log preprocessor portscan-ignorehosts: xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.xxx/32 preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor portscan2-ignorehosts: xxx.xxx.xxx.xxx/12 I get this error in syslog: "FATAL ERROR: Please activate spp_conversation before trying to activate spp_portscan2" Can someone please point out to me what I am doing wrong or missing in the config?
Well, I hate be blunt, but the error message tells you exactly what to do, turn on spp_conversation.
What more explanation do you need?The portscan2 preprocessor REQUIRES the spp_conversation preprocessor. It cannot work without it. You don't have it enabled, so snort fails.
Look for it in the sample spp_conversation lines in the snort.conf that comes in the snort tarball and enable it. Make sure it comes before portscan2 in your snort.conf.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2 Peters, Michael D. (Sep 29)
- Re: FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2 Erek Adams (Sep 29)
- Re: FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2 Matt Kettler (Sep 29)