Re: Preprocessor Question.

["Al Lewis (allewi)" <allewi () cisco com>]

It does. But running snort in IDS mode with NO preprocessors doesn’t make much sense. It will make an evasion pretty 
trivial and give you a gang of false positives.

I would suggest you start with the default snort config running the latest version of snort from the site. Then scale 
back/enable things you need from that point.

Let us know how it goes!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: David A. [mailto:ti1ion2005 () gmail com]
Sent: Tuesday, March 01, 2016 10:23 AM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Preprocessor Question.

Thank you for the reply.  I will work on enabling (or configuring and disabling) one, or both, preprocessors to remove 
the warning.

In my scenario, and I am new to using Snort, I am making limited use of its capabilities to mostly log everything and 
pass it to a syslog server -- Kiwi in my case, where I have created filters based on alerts I would like to receive.
I realize that my use of Snort is very basic.  I just wish the new version would provide output like the old one, 
instead of adding this warning to seemingly every packet it logs.

On Tue, Mar 1, 2016 at 9:06 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Without any preprocessors enabled you wont get much use as stream5 and/or frag should be enabled almost always for any 
type of inspection.

Are you just trying to log traffic or inspect it?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112<tel:443.430.7112>
Email: allewi () cisco com<mailto:allewi () cisco com>

From: David A. [mailto:ti1ion2005 () gmail com<mailto:ti1ion2005 () gmail com>]
Sent: Tuesday, March 01, 2016 8:43 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Preprocessor Question.

Hello everyone,
I am currently using Snort version 2.9.6.0 successfully with a very simple, custom snort.conf file that defines a few 
variables, allows some traffic to be ignored and then forwards everything else to a syslog server.
Recently, I have set up a second machine -- in this case a Raspberry Pi -- with Snort 2.9.7.0-3 and intend to use it 
the same way as the previous system.  However, it seems that the new version of Snort has introduced functionality that 
adds a "WARNING: No preprocessors configured for policy 0" to everything Snort processes.  I am not using preprocessors 
and don't have anything defined in my snort.conf.  I am not using decoders and don't have them defined, either.  I 
tried the "autoconfigure" command in my snort.conf, but that did not do anything.  As a result, my logs are filling up 
with this warning message and I have not been able to find a way of stopping it.
I have Googled this issue and the answer always comes back to reading the Snort manual (I have read the portions 
linked) and defining preprocessors.  I don't have any preprocessors and don't wish to have any.  Is there something I 
can do to stop Snort from issuing this warning?
Thank you for your help.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!