Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Looking for snort.conf with new preprocessor info

From: "Harper, Patrick" <patrick.harper () phns com>
Date: Mon, 26 Jul 2004 12:54:35 -0500
How did you upgrade? This can make a difference

Look in the source tarball and you will find the new snort.conf, it also
comes in the  RPM.  

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan
detector
# is implemented but in the long term,  many of the stateful subsystems
of
# snort will be migrated over to becoming flow plugins. This must be
enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2

-----Original Message-----
From: Bill Warren [mailto:bwarren () optivel com] 
Sent: Monday, July 26, 2004 12:47 PM
To: Harper, Patrick; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Looking for snort.conf with new preprocessor
info

I am running Debian Woody with Snort 2.0.0 and nothing else and it is
running fine.  It would catch all the portscans.  Now that I have
installed 2.2 rc1 it does not find them.  It starts with no errors.  
Here is what I get from my syslog.

Jul 26 12:42:38 optivel-mgmt snort: Writing PID "21721" to file
"/var/run//snort_eth0.pid"
Jul 26 12:42:38 optivel-mgmt snort: HttpInspect Config:
Jul 26 12:42:38 optivel-mgmt snort:     GLOBAL CONFIG
Jul 26 12:42:38 optivel-mgmt snort:       Max Pipeline Requests:    0
Jul 26 12:42:38 optivel-mgmt snort:       Inspection Type:          
STATELESS
Jul 26 12:42:38 optivel-mgmt snort:       Detect Proxy Usage:       NO
Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Filename: 
/etc/snort/etc/unicode.map
Jul 26 12:42:38 optivel-mgmt snort:       IIS Unicode Map Codepage: 1252
Jul 26 12:42:38 optivel-mgmt snort: rpc_decode arguments:
Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode RPC on: 111
32771
Jul 26 12:42:38 optivel-mgmt snort:     alert_fragments: INACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_large_fragments: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_incomplete: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort:     alert_multiple_requests: ACTIVE
Jul 26 12:42:38 optivel-mgmt snort: telnet_decode arguments:
Jul 26 12:42:38 optivel-mgmt snort:     Ports to decode telnet on: 21 23

25 119
Jul 26 12:42:38 optivel-mgmt snort: Conversation Config:
Jul 26 12:42:38 optivel-mgmt snort:    KeepStats: 0
Jul 26 12:42:38 optivel-mgmt snort:    Conv Count: 3000
Jul 26 12:42:38 optivel-mgmt snort:    Timeout   : 60
Jul 26 12:42:38 optivel-mgmt snort:    Alert Odd?: 0
Jul 26 12:42:38 optivel-mgmt snort:    Allowed IP Protocols:
Jul 26 12:42:38 optivel-mgmt snort:  All Jul 26 12:42:38 optivel-mgmt
snort:
Jul 26 12:42:38 optivel-mgmt snort: Portscan2 config:
Jul 26 12:42:38 optivel-mgmt snort:     log: /var/log/snort/scan.log
Jul 26 12:42:38 optivel-mgmt snort:     scanners_max: 256
Jul 26 12:42:38 optivel-mgmt snort:     targets_max: 1024
Jul 26 12:42:38 optivel-mgmt snort:     target_limit: 5
Jul 26 12:42:38 optivel-mgmt snort:     port_limit: 20
Jul 26 12:42:38 optivel-mgmt snort:     timeout: 60
Jul 26 12:42:38 optivel-mgmt snort: Warning: 
/etc/snort/etc/../rules/web-misc.rules (396) => flowbits without flow.
flow must be enabled for this plugin.
Jul 26 12:42:38 optivel-mgmt last message repeated 2 times Jul 26
12:42:38 optivel-mgmt snort: Warning: 
/etc/snort/etc/../rules/web-misc.rules (397) => flowbits without flow.
flow must be enabled for this plugin.

I see that there is a problem with the flowbits.  That is why I had did
something wrong with the snort.conf file.  Any ideas?

Thanks,
Bill


Harper, Patrick wrote:


What OS are you running?  How did you install (binary for windows, RPM,
Source)  a little more info is needed please

-----Original Message-----
From: Bill Warren [mailto:bwarren () optivel com]
Sent: Monday, July 26, 2004 9:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Looking for snort.conf with new preprocessor 
info

Hello All,
I just updated from Snort 2.0.0 to 2.2 and I need the new snort.conf 
with preprocessor info.
Thanks,
Bill

 



-- 

**********************************
Bill Warren
Optivel, Inc.
E-mail: bwarren () optivel com
Voice:  317.275.2305
Fax:    317.275.2301
Web:    http://www.optivel.com
**********************************





Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify the sender immediately. 





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: