Re: ssp_conversion BAD IP protocol, why?

[Erek Adams <erek () snort org>]

On Mon, 5 May 2003, Mike Koponick wrote:

> I seem to be having a reoccurring issue with Snort. I receive millions
> of these messages in my snort log. I tried commenting out the SID (118)
> in the gen-msg file, but no go.

Not the place to fix that.  Uncomment that as it has nothing to do with
your issue.

> Does anyone know how I can get rid of these things? They seem to report
> on packets that are typical on the network.
>
> 05/05-06:40:45.325111  [**] [118:1:1] (spp_conversation) Bad IP
> protocol! [**] {UDP} xxx.xxx.xxx.xxx:514 -> xxx.xxx.xxx.xxx:514

That alert is coming from spp_converstation.  Starting at about line 355
in snort.conf you'll see the info for configuration of the preprocessor.
I'll take a wild stab at it and say that in the 'allowed_ip_protocols'
slot, instead of IP protocol numbers [0] you placed _port_ numbers.  If
you take a look at that page, you'll see that the example protocols listed
in snort.conf (1, 6, 17) correspond to ICMP, TCP, and UDP.  You could just
change that to 'all' and be done with it, or you could take the time to
figure out what kind of protos are on your net and tune it accordingly.

If the port number thing isn't it, post your spp_conversation line and
we'll go from there.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.iana.org/assignments/protocol-numbers





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users