Re: Snort 2.8.5.3 does not like default global telnet config??

[Joel Esler <jesler () sourcefire com>]

Can you post your snort.conf?  Of course sanitized for your protection.

The ftp_telnet global config in my snort.conf is the following:

preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful

J

On Apr 20, 2010, at 7:12 PM, Joe Pampel wrote:

> Hi and thanks!
>
> I think what you are saying is that snort.conf was not updated and has stale keywords?
>
> I did a diff between the one in the build folders and the production one and there are some interesting changes.
> Production one looked stale..
>
> So I set up a new snort.conf based on the one in the install files and now it is still failing with the same error.
> At least I am consistent...
>
> It has the SSL config now which looks valid:  (per Page #66-67 in manual)
>
> preprocessor ssl: noinspect_encrypted, trustservers
>
> When I try to run it, it still claims that:
>
> ....Portscan Detection Config:
>    Detect Protocols:  TCP UDP ICMP IP
>    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
>    Sensitivity Level: Low
>    Memcap (in bytes): 10000000
>    Number of Nodes:   36900
> ERROR: /usr/local/etc/snort.conf(406) => Invalid keyword 'encrypted_traffic' for 'global' configuration.
> Fatal Error, Quitting..
> MY-IDS@/usr/local/bin:
>
> I read the snort.conf file and looked at the manual again and I honestly don't see what else I would need to config 
> to get it at least running. The defaults look like they should work without human intervention.
>
> should I go back to flipping burgers now? ;)
>
>
> On Apr 20, 2010, at 7:53 PM, Russell Fulton wrote:
>
> > On 21/04/2010, at 11:12 AM, Joe Pampel wrote:
> >
> > > Hi,
> > >
> > > I upgraded a sensor which was at Snort 2.8.4 to the new version 2.8.5.3
> > > This is on Solaris 10, x86.  I am logging remotely; there is no local mysql etc.
> > > It has been running snort stably for over a year now.
> > >
> > > Now when I try to run Snort, it chokes on the global telnet config, but there is nothing wrong with it - it is the 
> > > default.
> >
> >
> > nothing wrong with the telnet config -- what you are missing is the new ssl config. see README.ssl
> >
> > They have just added the new keywords to the rules.
> >
> > R
>
>
> The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
> confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use 
> of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by 
> anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended 
> recipient, please destroy and/or delete this correspondence and the attachment(s).
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler








------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users