Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort error config option "detection" ...

From: <Gregory.Brunn () compucom com>
Date: Sun, 25 Oct 2009 08:45:46 -0500
Have you verified that snort is seeing traffic that would be my first
step.
 
 
Run snort as a packet sniffer
 
# snort -dev.
 
 

________________________________

From: Adam Szabo [mailto:adamx001 () gmail com] 
Sent: Sunday, October 25, 2009 9:08 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort error config option "detection" ...


Thank you all. My ubuntu was all messed up so i reinstalled the whole
system and it works now.

I successfully installed BASE and i see the web surface but there are 0
alerts. I'm behind a router, but there should be alerts on my local
network also, am i right? Snort is running since half an hour.

Adam Szabo


On Sat, Oct 24, 2009 at 6:35 PM, Nigel Houghton
<nhoughton () sourcefire com> wrote:


        On Sat, Oct 24, 2009 at 1:15 PM, Adam Szabo <adamx001 () gmail com>
wrote:
        > Detection: Search-Method = AC-BNFA-Q
        > ERROR: /etc/snort/snort.conf(273) Config option "detection"
can only be
        > configured once.
        >
        > Adam Szabo
        >
        > On Sat, Oct 24, 2009 at 6:23 PM, Nigel Houghton
<nhoughton () sourcefire com>
        > wrote:
        >>
        >> On Sat, Oct 24, 2009 at 3:47 AM, Adam Szabo
<adamx001 () gmail com> wrote:
        >> > Still not working. The configuration is the default i
downloaded from
        >> > snort.com. I only changed the HOME_NET and EXTERNAL_NET
variables and
        >> > the
        >> > rules path.
        >> >
        >> > Adam Szabo
        >> >
        >> > On Thu, Oct 22, 2009 at 10:43 PM, Russ Combs
<rcombs () sourcefire com>
        >> > wrote:
        >> >>
        >> >> You've got a typo on every line!  (see below)
        >> >>
        >> >> With those fixes I can run either lines 1 and 3 or lines 2
and 3
        >> >> through
        >> >> snort -T.
        >> >>
        >> >> If that doesn't fix it, send your conf.
        >> >>
        >> >> Russ
        >> >> On Thu, Oct 22, 2009 at 2:15 PM, Adam Szabo
<adamx001 () gmail com> wrote:
        >> >>>
        >> >>> I have these:
        >> >>> config detection: search-method lowmen
        >> >>
        >> >> lowmen -> lowmem
        >> >>
        >> >>>
        >> >>> config detection: search method ac-bnfa max_queue_events
5
        >> >>
        >> >> search method -> search-method
        >> >>
        >> >>>
        >> >>> config event_queue: max_queue 8 log 3 order_events
content_lenght
        >> >>
        >> >> content_lenght -> content-length
        >> >>>
        >> >>> Adam Szabo
        >> >>>
        >> >>> On Thu, Oct 22, 2009 at 8:09 PM, Matt Olney
<molney () sourcefire com>
        >> >>> wrote:
        >> >>>>
        >> >>>> Is it possible that you have multiple detection
statements?
        >> >>>>
        >> >>>> grep detection snort.conf
        >> >>>>
        >> >>>> On Thu, Oct 22, 2009 at 1:58 PM, Adam Szabo
<adamx001 () gmail com>
        >> >>>> wrote:
        >> >>>> > Hi,
        >> >>>> > I'm running Snort 2.8.5 on Ubuntu linux and i'm
getting this error
        >> >>>> > when i
        >> >>>> > start Snort (snort -c /etc/snort/snort.conf):
        >> >>>> >
        >> >>>> > "Detection: Search-Method = AC-BNFA-Q
        >> >>>> > ERROR: /etc/snort/snort.conf(273) Config option
"detection" can
        >> >>>> > only
        >> >>>> > be
        >> >>>> > configured once."
        >> >>>> >
        >> >>>> > I did not change anything near line 273, so i don't
know why is
        >> >>>> > this
        >> >>>> > happening. Can you help me?
        >> >>>> >
        >> >>>> > Thank you,
        >> >>>> > Adam Szabo
        >> >>>> >
        >> >>>> >
        >> >>>> >
        >> >>>> >
------------------------------------------------------------------------
------
        >> >>>> > Come build with us! The BlackBerry(R) Developer
Conference in SF,
        >> >>>> > CA
        >> >>>> > is the only developer event you need to attend this
year. Jumpstart
        >> >>>> > your
        >> >>>> > developing skills, take BlackBerry mobile applications
to market
        >> >>>> > and
        >> >>>> > stay
        >> >>>> > ahead of the curve. Join us from November 9 - 12,
2009. Register
        >> >>>> > now!
        >> >>>> > http://p.sf.net/sfu/devconference
        >> >>>> > _______________________________________________
        >> >>>> > Snort-users mailing list
        >> >>>> > Snort-users () lists sourceforge net
        >> >>>> > Go to this URL to change user options or unsubscribe:
        >> >>>> >
https://lists.sourceforge.net/lists/listinfo/snort-users
        >> >>>> > Snort-users list archive:
        >> >>>> >
http://www.geocrawler.com/redir-sf.php3?list=snort-users
        >> >>>> >
        >> >>>
        >> >>>
        >> >>>
        >> >>>
        >> >>>
------------------------------------------------------------------------
------
        >> >>> Come build with us! The BlackBerry(R) Developer
Conference in SF, CA
        >> >>> is the only developer event you need to attend this year.
Jumpstart
        >> >>> your
        >> >>> developing skills, take BlackBerry mobile applications to
market and
        >> >>> stay
        >> >>> ahead of the curve. Join us from November 9 - 12, 2009.
Register now!
        >> >>> http://p.sf.net/sfu/devconference
        >> >>> _______________________________________________
        >> >>> Snort-users mailing list
        >> >>> Snort-users () lists sourceforge net
        >> >>> Go to this URL to change user options or unsubscribe:
        >> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
        >> >>> Snort-users list archive:
        >> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
        >> >>
        >> >
        >> >
        >> >
        >> >
------------------------------------------------------------------------
------
        >> > Come build with us! The BlackBerry(R) Developer Conference
in SF, CA
        >> > is the only developer event you need to attend this year.
Jumpstart your
        >> > developing skills, take BlackBerry mobile applications to
market and
        >> > stay
        >> > ahead of the curve. Join us from November 9 - 12, 2009.
Register now!
        >> > http://p.sf.net/sfu/devconference
        >> > _______________________________________________
        >> > Snort-users mailing list
        >> > Snort-users () lists sourceforge net
        >> > Go to this URL to change user options or unsubscribe:
        >> > https://lists.sourceforge.net/lists/listinfo/snort-users
        >> > Snort-users list archive:
        >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
        >> >
        >>
        >>
        >> What exactly is the error you are getting now?
        >>
        >> --
        >> Nigel Houghton
        >> Head Mentalist
        >> SF VRT
        >> http://vrt-sourcefire.blogspot.com &&
http://www.snort.org/vrt/
        >
        >
        >
------------------------------------------------------------------------
------
        > Come build with us! The BlackBerry(R) Developer Conference in
SF, CA
        > is the only developer event you need to attend this year.
Jumpstart your
        > developing skills, take BlackBerry mobile applications to
market and stay
        > ahead of the curve. Join us from November 9 - 12, 2009.
Register now!
        > http://p.sf.net/sfu/devconference
        > _______________________________________________
        > Snort-users mailing list
        > Snort-users () lists sourceforge net
        > Go to this URL to change user options or unsubscribe:
        > https://lists.sourceforge.net/lists/listinfo/snort-users
        > Snort-users list archive:
        > http://www.geocrawler.com/redir-sf.php3?list=snort-users
        >
        
        
        
        Then you aren't using the snort.conf from the tarball with only
the
        edits you say you made.
        
        I get no such error with the standard snort.conf. I suggest you
go
        back to step 1, copy the snort.conf to /etc/snort/snort.conf and
try
        running snort with the -T option and probably with the -c option
to
        make sure you are getting the right snort.conf. (you probably
want to
        edit first to make sure your rule path is correct)
        
        --
        
        Nigel Houghton
        Head Mentalist
        SF VRT
        http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
        



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: