Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FATAL ERROR: Please activate spp_conversation before trying to ac tivate spp_portscan2

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 29 Sep 2003 13:46:29 -0400
At 10:24 AM 9/29/2003, Peters, Michael D. wrote:

I would like to turn the portscan feature on. This is what I have in the
config file enabled.

preprocessor portscan: $HOME_NET 5 3
/var/snort/portscan/home/home-portscan.log
preprocessor portscan-ignorehosts:  xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.xxx/32
preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
port_limit 20, timeout 60
preprocessor portscan2-ignorehosts: xxx.xxx.xxx.xxx/12

I get this error in syslog: "FATAL ERROR: Please activate spp_conversation
before trying to activate spp_portscan2"

Can someone please point out to me what I am doing wrong or missing in the
config?
Well, I hate be blunt, but the error message tells you exactly what to do, turn on spp_conversation. 

What more explanation do you need?
The portscan2 preprocessor REQUIRES the spp_conversation preprocessor. It cannot work without it. You don't have it enabled, so snort fails.
Look for it in the sample spp_conversation lines in the snort.conf that comes in the snort tarball and enable it. Make sure it comes before portscan2 in your snort.conf. 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: