Snort mailing list archives
RE: Looking for snort.conf with new preprocessor info
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Mon, 26 Jul 2004 12:54:35 -0500
How did you upgrade? This can make a difference Look in the source tarball and you will find the new snort.conf, it also comes in the RPM. # Configure Flow tracking module # ------------------------------- # # The Flow tracking module is meant to start unifying the state keeping # mechanisms of snort into a single place. Right now, only a portscan detector # is implemented but in the long term, many of the stateful subsystems of # snort will be migrated over to becoming flow plugins. This must be enabled # for flow-portscan to work correctly. # # See README.flow for additional information # preprocessor flow: stats_interval 0 hash 2 -----Original Message----- From: Bill Warren [mailto:bwarren () optivel com] Sent: Monday, July 26, 2004 12:47 PM To: Harper, Patrick; snort-users () lists sourceforge net Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor info I am running Debian Woody with Snort 2.0.0 and nothing else and it is running fine. It would catch all the portscans. Now that I have installed 2.2 rc1 it does not find them. It starts with no errors. Here is what I get from my syslog. Jul 26 12:42:38 optivel-mgmt snort: Writing PID "21721" to file "/var/run//snort_eth0.pid" Jul 26 12:42:38 optivel-mgmt snort: HttpInspect Config: Jul 26 12:42:38 optivel-mgmt snort: GLOBAL CONFIG Jul 26 12:42:38 optivel-mgmt snort: Max Pipeline Requests: 0 Jul 26 12:42:38 optivel-mgmt snort: Inspection Type: STATELESS Jul 26 12:42:38 optivel-mgmt snort: Detect Proxy Usage: NO Jul 26 12:42:38 optivel-mgmt snort: IIS Unicode Map Filename: /etc/snort/etc/unicode.map Jul 26 12:42:38 optivel-mgmt snort: IIS Unicode Map Codepage: 1252 Jul 26 12:42:38 optivel-mgmt snort: rpc_decode arguments: Jul 26 12:42:38 optivel-mgmt snort: Ports to decode RPC on: 111 32771 Jul 26 12:42:38 optivel-mgmt snort: alert_fragments: INACTIVE Jul 26 12:42:38 optivel-mgmt snort: alert_large_fragments: ACTIVE Jul 26 12:42:38 optivel-mgmt snort: alert_incomplete: ACTIVE Jul 26 12:42:38 optivel-mgmt snort: alert_multiple_requests: ACTIVE Jul 26 12:42:38 optivel-mgmt snort: telnet_decode arguments: Jul 26 12:42:38 optivel-mgmt snort: Ports to decode telnet on: 21 23 25 119 Jul 26 12:42:38 optivel-mgmt snort: Conversation Config: Jul 26 12:42:38 optivel-mgmt snort: KeepStats: 0 Jul 26 12:42:38 optivel-mgmt snort: Conv Count: 3000 Jul 26 12:42:38 optivel-mgmt snort: Timeout : 60 Jul 26 12:42:38 optivel-mgmt snort: Alert Odd?: 0 Jul 26 12:42:38 optivel-mgmt snort: Allowed IP Protocols: Jul 26 12:42:38 optivel-mgmt snort: All Jul 26 12:42:38 optivel-mgmt snort: Jul 26 12:42:38 optivel-mgmt snort: Portscan2 config: Jul 26 12:42:38 optivel-mgmt snort: log: /var/log/snort/scan.log Jul 26 12:42:38 optivel-mgmt snort: scanners_max: 256 Jul 26 12:42:38 optivel-mgmt snort: targets_max: 1024 Jul 26 12:42:38 optivel-mgmt snort: target_limit: 5 Jul 26 12:42:38 optivel-mgmt snort: port_limit: 20 Jul 26 12:42:38 optivel-mgmt snort: timeout: 60 Jul 26 12:42:38 optivel-mgmt snort: Warning: /etc/snort/etc/../rules/web-misc.rules (396) => flowbits without flow. flow must be enabled for this plugin. Jul 26 12:42:38 optivel-mgmt last message repeated 2 times Jul 26 12:42:38 optivel-mgmt snort: Warning: /etc/snort/etc/../rules/web-misc.rules (397) => flowbits without flow. flow must be enabled for this plugin. I see that there is a problem with the flowbits. That is why I had did something wrong with the snort.conf file. Any ideas? Thanks, Bill Harper, Patrick wrote:
What OS are you running? How did you install (binary for windows, RPM, Source) a little more info is needed please -----Original Message----- From: Bill Warren [mailto:bwarren () optivel com] Sent: Monday, July 26, 2004 9:04 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Looking for snort.conf with new preprocessor info Hello All, I just updated from Snort 2.0.0 to 2.2 and I need the new snort.conf with preprocessor info. Thanks, Bill
-- ********************************** Bill Warren Optivel, Inc. E-mail: bwarren () optivel com Voice: 317.275.2305 Fax: 317.275.2301 Web: http://www.optivel.com ********************************** Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Looking for snort.conf with new preprocessor info Bill Warren (Jul 26)
- RE: Looking for snort.conf with new preprocessor info Jeff Dell (Jul 26)
- <Possible follow-ups>
- RE: Looking for snort.conf with new preprocessor info Harper, Patrick (Jul 26)
- Re: Looking for snort.conf with new preprocessor info Bill Warren (Jul 26)
- RE: Looking for snort.conf with new preprocessor info Jeff Dell (Jul 26)
- Re: Looking for snort.conf with new preprocessor info Bill Warren (Jul 26)
- RE: Looking for snort.conf with new preprocessor info Jeff Dell (Jul 26)
- Re: Looking for snort.conf with new preprocessor info Bill Warren (Jul 26)
- Re: Looking for snort.conf with new preprocessor info Bill Warren (Jul 26)
- Re: Looking for snort.conf with new preprocessor info Bill Warren (Jul 26)