Snort mailing list archives
Re: Preprocessor Question.
From: "David A." <ti1ion2005 () gmail com>
Date: Tue, 1 Mar 2016 10:22:52 -0500
Thank you for the reply. I will work on enabling (or configuring and disabling) one, or both, preprocessors to remove the warning. In my scenario, and I am new to using Snort, I am making limited use of its capabilities to mostly log everything and pass it to a syslog server -- Kiwi in my case, where I have created filters based on alerts I would like to receive. I realize that my use of Snort is very basic. I just wish the new version would provide output like the old one, instead of adding this warning to seemingly every packet it logs. On Tue, Mar 1, 2016 at 9:06 AM, Al Lewis (allewi) <allewi () cisco com> wrote:
Without any preprocessors enabled you wont get much use as stream5 and/or frag should be enabled almost always for any type of inspection. Are you just trying to log traffic or inspect it? Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* David A. [mailto:ti1ion2005 () gmail com] *Sent:* Tuesday, March 01, 2016 8:43 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] Preprocessor Question. Hello everyone, I am currently using Snort version 2.9.6.0 successfully with a very simple, custom snort.conf file that defines a few variables, allows some traffic to be ignored and then forwards everything else to a syslog server. Recently, I have set up a second machine -- in this case a Raspberry Pi -- with Snort 2.9.7.0-3 and intend to use it the same way as the previous system. However, it seems that the new version of Snort has introduced functionality that adds a "WARNING: No preprocessors configured for policy 0" to everything Snort processes. I am not using preprocessors and don't have anything defined in my snort.conf. I am not using decoders and don't have them defined, either. I tried the "autoconfigure" command in my snort.conf, but that did not do anything. As a result, my logs are filling up with this warning message and I have not been able to find a way of stopping it. I have Googled this issue and the answer always comes back to reading the Snort manual (I have read the portions linked) and defining preprocessors. I don't have any preprocessors and don't wish to have any. Is there something I can do to stop Snort from issuing this warning? Thank you for your help.
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessor Question. David A. (Mar 01)
- Re: Preprocessor Question. Al Lewis (allewi) (Mar 01)
- Re: Preprocessor Question. David A. (Mar 01)
- Re: Preprocessor Question. Al Lewis (allewi) (Mar 01)
- Re: Preprocessor Question. David A. (Mar 01)
- Re: Preprocessor Question. David A. (Mar 08)
- Re: Preprocessor Question. David A. (Mar 01)
- Re: Preprocessor Question. Al Lewis (allewi) (Mar 01)