Re: EXTERNAL:Re: Snort.config isue

["Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>]

    u_encode yes \ ->     u_encode yes

From: Alec Mason AFS <Alec.Mason () activefleetsolutions com>
Date: Thursday, August 16, 2018 at 11:12 AM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>, "snort-users () lists snort org" <snort-users () lists snort org>
Subject: RE: EXTERNAL:Re: [Snort-users] Snort.config isue

Apologies – new to this!!!

# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS 
HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT 
PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
   server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 5 } \
    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 
1812 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5450 5600 5814 
6080 6173 6988 7000 7001 7005 7071 7144 7145 7510 7770 7777 7778 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 
8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 
9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 12601 13014 15489 19980 29991 33300 34412 
34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
#   webroot no \
#   decompress_swf { deflate lzma } \
#   decompress_pdf { deflate }

# ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - 
Preprocessors - RPC Decode
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests 
no_alert_large_fragments no_alert_incomplete

# Back Orifice detection.
preprocessor bo

Alec Mason
Group IT & Infrastructure Director

ARVS Limited T/A Active Fleet Solutions
Parkway House, Second Avenue, Centrum 100, Burton on Trent, DE14 2WF

Mob: 07824 875880      Tel: 0845 600 4755      Fax: 0845 600 4754
e-mail: alec.mason () activefleetsolutions com<mailto:alec.mason () activefleetsolutions com>

[fs2]<http://www.activefleetsolutions.com/>

P Please consider the environment before printing

[cid:image002.png@01D43552.2E6DDF90]<https://www.linkedin.com/in/alec-mason-51961348/>
Email disclaimer
 This email and any files and information transmitted with it are confidential and intended solely for the sole and 
lawful use of the individual or entity to whom they are addressed. It may also be privileged or otherwise protected by 
other legal rules. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from 
your system. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents 
of this information is strictly prohibited.
WARNING: Computer viruses can be transmitted via email. Although the company has taken reasonable precautions to ensure 
no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the 
transmission or use of this email or attachments.
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily 
represent those of the company.

From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com]
Sent: 16 August 2018 16:10
To: Alec Mason AFS; snort-users () lists snort org
Subject: Re: EXTERNAL:Re: [Snort-users] Snort.config isue

Go up to the end of http_inspect_server. That error is specific to that preprocessor.

From: Alec Mason AFS <Alec.Mason () activefleetsolutions com>
Date: Thursday, August 16, 2018 at 11:07 AM
To: "Carter Waxman (cwaxman)" <cwaxman () cisco com>, "snort-users () lists snort org" <snort-users () lists snort org>
Subject: RE: EXTERNAL:Re: [Snort-users] Snort.config isue

Hi

This is what the lines around it look like

#   webroot no \
#   decompress_swf { deflate lzma } \
#   decompress_pdf { deflate }

# ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - 
Preprocessors - RPC Decode
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests 
no_alert_large_fragments no_alert_incomplete

# Back Orifice detection.
preprocessor bo

Thanks

Alec Mason
Group IT & Infrastructure Director

ARVS Limited T/A Active Fleet Solutions
Parkway House, Second Avenue, Centrum 100, Burton on Trent, DE14 2WF

Mob: 07824 875880      Tel: 0845 600 4755      Fax: 0845 600 4754
e-mail: alec.mason () activefleetsolutions com<mailto:alec.mason () activefleetsolutions com>

[s2]<http://www.activefleetsolutions.com/>

P Please consider the environment before printing

[cid:image004.png@01D43552.2E6DDF90]<https://www.linkedin.com/in/alec-mason-51961348/>
Email disclaimer
 This email and any files and information transmitted with it are confidential and intended solely for the sole and 
lawful use of the individual or entity to whom they are addressed. It may also be privileged or otherwise protected by 
other legal rules. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from 
your system. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents 
of this information is strictly prohibited.
WARNING: Computer viruses can be transmitted via email. Although the company has taken reasonable precautions to ensure 
no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the 
transmission or use of this email or attachments.
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily 
represent those of the company.

From: Carter Waxman (cwaxman) [mailto:cwaxman () cisco com]
Sent: 16 August 2018 16:06
To: Alec Mason AFS; snort-users () lists snort org
Subject: EXTERNAL:Re: [Snort-users] Snort.config isue

Check the line before it for a ‘\’ at the end which means continue this directive on the next line. It thinks you are 
trying to use ‘preprocessor’ as a configuration option for http.

- Carter

From: Snort-users <snort-users-bounces () lists snort org> on behalf of Alec Mason AFS via Snort-users <snort-users () 
lists snort org>
Reply-To: Alec Mason AFS <Alec.Mason () activefleetsolutions com>
Date: Thursday, August 16, 2018 at 10:59 AM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Snort.config isue

Hi

I am new to Snort and trying to follow instructions to install and configure Snort on Windows.

I am getting the following error message when I am checking the install

ERROR: C:\Snort\etc\snort.config(330) =>invalid keyword 'preprocessor' for server configuration

On line 330 of snort.config there is the following

preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests 
no_alert_large_fragments no_alert_incomplete

Any suggestions

Thanks

Alec Mason

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette