Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: troubleshooting snort

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 4 Jun 2013 08:21:45 -0400
You can't remove all the line continuations.  Just the one I mentioned.  It
should look like this:

preprocessor stream5_global: track_tcp yes, \
   track_udp yes,  \
   track_icmp no,  \
   max_tcp 262144, \
   max_udp 131072
#   max_active_responses 2
#   min_response_seconds 5

On Tue, Jun 4, 2013 at 8:12 AM, soukaina mzerda <soukaina.mz () gmail com>wrote:


# Step #5: Configure preprocessors
# For more information, see the Snort Manual, Configuring Snort -
Preprocessors
###################################################

# GTP Control Channle Preprocessor. For more information, see README.GTP
# preprocessor gtp: ports { 2123 3386 2152 }

# Inline packet normalization. For more information, see README.normalize
# Does nothing in IDS mode
 preprocessor normalize_ip4
 preprocessor normalize_tcp: ips ecn stream
 preprocessor normalize_icmp4
 preprocessor normalize_ip6
 preprocessor normalize_icmp6

# Target-based IP defragmentation.  For more inforation, see README.frag3
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy linux timeout 180 detect_anomalies
# policy windows detect_anomalies timeout 180 overlap_limit 10
min_fragment_length 100

# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5
preprocessor stream5_global: track_tcp yes,
   track_udp yes,
   track_icmp no,
   max_tcp 262144,
   max_udp 131072
   max_active_responses 2
    min_response_seconds 5
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor stream5_udp: timeout 180, ignore_any_rules

# performance statistics.  For more information, see the Snort Manual,
Configuring Snort - Preprocessors - Performance Monitor
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
10000

# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \


On Tue, Jun 4, 2013 at 2:08 PM, Russ Combs <rcombs () sourcefire com> wrote:


Send your updated conf, at least the stream5 parts.


On Tue, Jun 4, 2013 at 8:06 AM, soukaina mzerda <soukaina.mz () gmail com>wrote:


I did so and I got another error :/ ....Missing parameter in Stream5
Global config !
:s :s


On Tue, Jun 4, 2013 at 1:56 PM, Russ Combs <rcombs () sourcefire com>wrote:


The comments (with #) and line continuations (with \) don't mix well.

Remove the ", \" at the end of the line with max_udp and uncomment the
stuff you previously commented (stream5_tcp and stream5_udp).


On Tue, Jun 4, 2013 at 7:49 AM, Seth Dunn <seth () d2ms com> wrote:


Looking at your snort.conf file, try putting a space between the '#'
and the first character.
Also you can try commenting out  the preprocessor lines also.****

# preprocessor stream5_tcp****

# preprocessor stream5_udp****

** **

# Does nothing in IDS mode****

# preprocessor normalize_ip4****

# preprocessor normalize_tcp: ips ecn stream****

# preprocessor normalize_icmp4****

# preprocessor normalize_ip6****

# preprocessor normalize_icmp6****

** **

# Target-based IP defragmentation.  For more inforation, see
README.frag3****

preprocessor frag3_global: max_frags 65536****

preprocessor frag3_engine: policy linux timeout 180 detect_anomalies
****

 #policy windows detect_anomalies timeout 180 overlap_limit 10
min_fragment_length 100 ****

** **

# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5****

preprocessor stream5_global: track_tcp yes, \****

   track_udp yes, \****

   track_icmp no, \ ****

   max_tcp 262144, \****

   max_udp 131072, \****

   #max_active_responses 2, \****

   #min_response_seconds 5 ****

# preprocessor stream5_tcp: policy first, use_static_footprint_sizes,
****

ports client*****

* 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110
111****

161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668
6669****

 7000 8000*****

* 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778
****

32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900
7901****

 7902 7903 790*****

*4 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917
7918****

7919 7920*****

# preprocessor stream5_udp: timeout 180, ignore_any_rules****

** **

*From:* Russ Combs [mailto:rcombs () sourcefire com]
*Sent:* Tuesday, June 04, 2013 7:18 AM
*To:* Seth Dunn
*Cc:* soukaina mzerda; snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] troubleshooting snort****

** **

Look carefully at stream5_global and make sure that there isn't a line
continuation ( '\' ) at the end of those options causing stream5_tcp to
appear as one of them.  stream5_global and stream5_tcp must be separate.
****

On Tue, Jun 4, 2013 at 7:05 AM, Seth Dunn <seth () d2ms com> wrote:****

Go to that line in your snort.conf file and comment it out, and try
again****

 ****

*From:* soukaina mzerda [mailto:soukaina.mz () gmail com]
*Sent:* Tuesday, June 04, 2013 7:03 AM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] troubleshooting snort****

 ****

hi ,****

I've configured snort on ubuntu with all pakeges needed , but I'm
facing here some troubles while runnin snort on IDS mode saying that**
**

( ERROR: /etc/snort/etc/snort.conf(283) => Unknown Stream5 global
option (preprocessor stream5_tcp: policy first)****

Fatal Error, Quitting..)****

Please I need help , I've done all the configuration and I have to
complete this by the end of the day heeeeeeeeeeelp!****

 ****



------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!****

** **











------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: