Re: Preprocessor Question.

["David A." <ti1ion2005 () gmail com>]

Hello Al,

So, the device I was working with -- a Raspberry Pi -- was not able to run
with the full snort configuration.  However, I did enable stream5 and frag
and this took care of the warning message problem.  Thank you for assisting
me with that.

The standard config will have to go on a proper server.

On Tue, Mar 1, 2016 at 10:59 AM, David A. <ti1ion2005 () gmail com> wrote:

> Thanks again.  I will take a look at what I can do with the default config
> file.
>
> On Tue, Mar 1, 2016 at 10:55 AM, Al Lewis (allewi) <allewi () cisco com>
> wrote:
>
> > It does. But running snort in IDS mode with NO preprocessors doesn’t make
> > much sense. It will make an evasion pretty trivial and give you a gang of
> > false positives.
> >
> >
> >
> > I would suggest you start with the default snort config running the
> > latest version of snort from the site. Then scale back/enable things you
> > need from that point.
> >
> >
> >
> > Let us know how it goes!
> >
> >
> >
> >
> >
> > Albert Lewis
> >
> > QA Software Engineer
> >
> > SOURCE*fire*, Inc. now part of *Cisco*
> >
> > 9780 Patuxent Woods Drive
> > Columbia, MD 21046
> >
> > Phone: (office) 443.430.7112
> >
> > Email: allewi () cisco com
> >
> >
> >
> > *From:* David A. [mailto:ti1ion2005 () gmail com]
> > *Sent:* Tuesday, March 01, 2016 10:23 AM
> > *To:* Al Lewis (allewi)
> > *Cc:* snort-users () lists sourceforge net
> > *Subject:* Re: [Snort-users] Preprocessor Question.
> >
> >
> >
> > Thank you for the reply.  I will work on enabling (or configuring and
> > disabling) one, or both, preprocessors to remove the warning.
> >
> >
> > In my scenario, and I am new to using Snort, I am making limited use of
> > its capabilities to mostly log everything and pass it to a syslog server --
> > Kiwi in my case, where I have created filters based on alerts I would like
> > to receive.
> >
> > I realize that my use of Snort is very basic.  I just wish the new
> > version would provide output like the old one, instead of adding this
> > warning to seemingly every packet it logs.
> >
> >
> >
> > On Tue, Mar 1, 2016 at 9:06 AM, Al Lewis (allewi) <allewi () cisco com>
> > wrote:
> >
> > Without any preprocessors enabled you wont get much use as stream5 and/or
> > frag should be enabled almost always for any type of inspection.
> >
> >
> >
> > Are you just trying to log traffic or inspect it?
> >
> >
> >
> > Albert Lewis
> >
> > QA Software Engineer
> >
> > SOURCE*fire*, Inc. now part of *Cisco*
> >
> > 9780 Patuxent Woods Drive
> > Columbia, MD 21046
> >
> > Phone: (office) 443.430.7112
> >
> > Email: allewi () cisco com
> >
> >
> >
> > *From:* David A. [mailto:ti1ion2005 () gmail com]
> > *Sent:* Tuesday, March 01, 2016 8:43 AM
> > *To:* snort-users () lists sourceforge net
> > *Subject:* [Snort-users] Preprocessor Question.
> >
> >
> >
> > Hello everyone,
> >
> > I am currently using Snort version 2.9.6.0 successfully with a very
> > simple, custom snort.conf file that defines a few variables, allows some
> > traffic to be ignored and then forwards everything else to a syslog server.
> >
> > Recently, I have set up a second machine -- in this case a Raspberry Pi
> > -- with Snort 2.9.7.0-3 and intend to use it the same way as the previous
> > system.  However, it seems that the new version of Snort has introduced
> > functionality that adds a "WARNING: No preprocessors configured for policy
> > 0" to everything Snort processes.  I am not using preprocessors and don't
> > have anything defined in my snort.conf.  I am not using decoders and don't
> > have them defined, either.  I tried the "autoconfigure" command in my
> > snort.conf, but that did not do anything.  As a result, my logs are filling
> > up with this warning message and I have not been able to find a way of
> > stopping it.
> >
> > I have Googled this issue and the answer always comes back to reading the
> > Snort manual (I have read the portions linked) and defining preprocessors.
> > I don't have any preprocessors and don't wish to have any.  Is there
> > something I can do to stop Snort from issuing this warning?
> >
> > Thank you for your help.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!