Snort mailing list archives
Re: config woes with 2.7.0.1 and frag3
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 14 Aug 2007 15:55:01 +1200
Thanks Justin! Justin Heath wrote:
Missing commas ... preprocessor frag3_global: max_frags 65536, prealloc_frags 262144
yes -- need commas here (there aren't any in the example snort.conf file supplied with 2.7.0.1).
preprocessor frag3_engine: policy first, detect_anomalies
No we don't want them here! here is what actually worked: preprocessor frag3_global: max_frags 65536, prealloc_frags 262144 preprocessor frag3_engine: policy First detect_anomalies *very* confusing! Sourcefire folks: Please see that the examples in the snort.conf file actually match what works :) Some consistency around the use of commas would help too. Cheers, Russell.
On 8/13/07, Russell Fulton <r.fulton () auckland ac nz> wrote:I recently installed 2.7.0.1 and it complained about my frag3 configuration that had worked fine with 2.6. The really strange thing is that it is the same as in the sample snort.conf! Here is an excerpt from my conf file: config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_alerts preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 prealloc_frags 262144 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: zero_flushed_packets and this generates the error: Aug 13 09:21:41 monitor-dmzo snort: FATAL ERROR: conf/bond0.snort.conf(34) => Missing argument to max_frags in config file. Aug 13 09:22:33 monitor-dmzo su(pam_unix)[3677]: session closed for user snort Any ideas what is going on here? Cheers, Russell ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- config woes with 2.7.0.1 and frag3 Russell Fulton (Aug 13)
- Re: config woes with 2.7.0.1 and frag3 Justin Heath (Aug 13)
- Re: config woes with 2.7.0.1 and frag3 Russell Fulton (Aug 13)
- Re: config woes with 2.7.0.1 and frag3 Justin Heath (Aug 14)
- Re: config woes with 2.7.0.1 and frag3 Russell Fulton (Aug 13)
- Re: config woes with 2.7.0.1 and frag3 Justin Heath (Aug 13)