Snort mailing list archives
Re: troubleshooting snort
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 4 Jun 2013 08:21:45 -0400
You can't remove all the line continuations. Just the one I mentioned. It should look like this: preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072 # max_active_responses 2 # min_response_seconds 5 On Tue, Jun 4, 2013 at 8:12 AM, soukaina mzerda <soukaina.mz () gmail com>wrote:
# Step #5: Configure preprocessors # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### # GTP Control Channle Preprocessor. For more information, see README.GTP # preprocessor gtp: ports { 2123 3386 2152 } # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 # Target-based IP defragmentation. For more inforation, see README.frag3 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy linux timeout 180 detect_anomalies # policy windows detect_anomalies timeout 180 overlap_limit 10 min_fragment_length 100 # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, max_tcp 262144, max_udp 131072 max_active_responses 2 min_response_seconds 5 preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor stream5_udp: timeout 180, ignore_any_rules # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ On Tue, Jun 4, 2013 at 2:08 PM, Russ Combs <rcombs () sourcefire com> wrote:Send your updated conf, at least the stream5 parts. On Tue, Jun 4, 2013 at 8:06 AM, soukaina mzerda <soukaina.mz () gmail com>wrote:I did so and I got another error :/ ....Missing parameter in Stream5 Global config ! :s :s On Tue, Jun 4, 2013 at 1:56 PM, Russ Combs <rcombs () sourcefire com>wrote:The comments (with #) and line continuations (with \) don't mix well. Remove the ", \" at the end of the line with max_udp and uncomment the stuff you previously commented (stream5_tcp and stream5_udp). On Tue, Jun 4, 2013 at 7:49 AM, Seth Dunn <seth () d2ms com> wrote:Looking at your snort.conf file, try putting a space between the '#' and the first character. Also you can try commenting out the preprocessor lines also.**** # preprocessor stream5_tcp**** # preprocessor stream5_udp**** ** ** # Does nothing in IDS mode**** # preprocessor normalize_ip4**** # preprocessor normalize_tcp: ips ecn stream**** # preprocessor normalize_icmp4**** # preprocessor normalize_ip6**** # preprocessor normalize_icmp6**** ** ** # Target-based IP defragmentation. For more inforation, see README.frag3**** preprocessor frag3_global: max_frags 65536**** preprocessor frag3_engine: policy linux timeout 180 detect_anomalies **** #policy windows detect_anomalies timeout 180 overlap_limit 10 min_fragment_length 100 **** ** ** # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5**** preprocessor stream5_global: track_tcp yes, \**** track_udp yes, \**** track_icmp no, \ **** max_tcp 262144, \**** max_udp 131072, \**** #max_active_responses 2, \**** #min_response_seconds 5 **** # preprocessor stream5_tcp: policy first, use_static_footprint_sizes, **** ports client***** * 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 111**** 161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669**** 7000 8000***** * 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 **** 32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901**** 7902 7903 790***** *4 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918**** 7919 7920***** # preprocessor stream5_udp: timeout 180, ignore_any_rules**** ** ** *From:* Russ Combs [mailto:rcombs () sourcefire com] *Sent:* Tuesday, June 04, 2013 7:18 AM *To:* Seth Dunn *Cc:* soukaina mzerda; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] troubleshooting snort**** ** ** Look carefully at stream5_global and make sure that there isn't a line continuation ( '\' ) at the end of those options causing stream5_tcp to appear as one of them. stream5_global and stream5_tcp must be separate. **** On Tue, Jun 4, 2013 at 7:05 AM, Seth Dunn <seth () d2ms com> wrote:**** Go to that line in your snort.conf file and comment it out, and try again**** **** *From:* soukaina mzerda [mailto:soukaina.mz () gmail com] *Sent:* Tuesday, June 04, 2013 7:03 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] troubleshooting snort**** **** hi ,**** I've configured snort on ubuntu with all pakeges needed , but I'm facing here some troubles while runnin snort on IDS mode saying that** ** ( ERROR: /etc/snort/etc/snort.conf(283) => Unknown Stream5 global option (preprocessor stream5_tcp: policy first)**** Fatal Error, Quitting..)**** Please I need help , I've done all the configuration and I have to complete this by the end of the day heeeeeeeeeeelp!**** **** ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!**** ** **
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- troubleshooting snort soukaina mzerda (Jun 04)
- Re: troubleshooting snort Seth Dunn (Jun 04)
- Re: troubleshooting snort Russ Combs (Jun 04)
- Re: troubleshooting snort Seth Dunn (Jun 04)
- Re: troubleshooting snort Russ Combs (Jun 04)
- Message not available
- Message not available
- Message not available
- Re: troubleshooting snort Russ Combs (Jun 04)
- Re: troubleshooting snort Russ Combs (Jun 04)
- Re: troubleshooting snort Seth Dunn (Jun 04)
- <Possible follow-ups>
- Re: troubleshooting snort James Lay (Jun 05)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: troubleshooting snort James Lay (Jun 05)
- Message not available
- Re: troubleshooting snort Mikey van der Worp (Jun 06)
- Re: troubleshooting snort waldo kitty (Jun 06)