Snort mailing list archives
Re: snort error config option "detection" ...
From: <Gregory.Brunn () compucom com>
Date: Sun, 25 Oct 2009 08:45:46 -0500
Have you verified that snort is seeing traffic that would be my first step. Run snort as a packet sniffer # snort -dev. ________________________________ From: Adam Szabo [mailto:adamx001 () gmail com] Sent: Sunday, October 25, 2009 9:08 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort error config option "detection" ... Thank you all. My ubuntu was all messed up so i reinstalled the whole system and it works now. I successfully installed BASE and i see the web surface but there are 0 alerts. I'm behind a router, but there should be alerts on my local network also, am i right? Snort is running since half an hour. Adam Szabo On Sat, Oct 24, 2009 at 6:35 PM, Nigel Houghton <nhoughton () sourcefire com> wrote: On Sat, Oct 24, 2009 at 1:15 PM, Adam Szabo <adamx001 () gmail com> wrote: > Detection: Search-Method = AC-BNFA-Q > ERROR: /etc/snort/snort.conf(273) Config option "detection" can only be > configured once. > > Adam Szabo > > On Sat, Oct 24, 2009 at 6:23 PM, Nigel Houghton <nhoughton () sourcefire com> > wrote: >> >> On Sat, Oct 24, 2009 at 3:47 AM, Adam Szabo <adamx001 () gmail com> wrote: >> > Still not working. The configuration is the default i downloaded from >> > snort.com. I only changed the HOME_NET and EXTERNAL_NET variables and >> > the >> > rules path. >> > >> > Adam Szabo >> > >> > On Thu, Oct 22, 2009 at 10:43 PM, Russ Combs <rcombs () sourcefire com> >> > wrote: >> >> >> >> You've got a typo on every line! (see below) >> >> >> >> With those fixes I can run either lines 1 and 3 or lines 2 and 3 >> >> through >> >> snort -T. >> >> >> >> If that doesn't fix it, send your conf. >> >> >> >> Russ >> >> On Thu, Oct 22, 2009 at 2:15 PM, Adam Szabo <adamx001 () gmail com> wrote: >> >>> >> >>> I have these: >> >>> config detection: search-method lowmen >> >> >> >> lowmen -> lowmem >> >> >> >>> >> >>> config detection: search method ac-bnfa max_queue_events 5 >> >> >> >> search method -> search-method >> >> >> >>> >> >>> config event_queue: max_queue 8 log 3 order_events content_lenght >> >> >> >> content_lenght -> content-length >> >>> >> >>> Adam Szabo >> >>> >> >>> On Thu, Oct 22, 2009 at 8:09 PM, Matt Olney <molney () sourcefire com> >> >>> wrote: >> >>>> >> >>>> Is it possible that you have multiple detection statements? >> >>>> >> >>>> grep detection snort.conf >> >>>> >> >>>> On Thu, Oct 22, 2009 at 1:58 PM, Adam Szabo <adamx001 () gmail com> >> >>>> wrote: >> >>>> > Hi, >> >>>> > I'm running Snort 2.8.5 on Ubuntu linux and i'm getting this error >> >>>> > when i >> >>>> > start Snort (snort -c /etc/snort/snort.conf): >> >>>> > >> >>>> > "Detection: Search-Method = AC-BNFA-Q >> >>>> > ERROR: /etc/snort/snort.conf(273) Config option "detection" can >> >>>> > only >> >>>> > be >> >>>> > configured once." >> >>>> > >> >>>> > I did not change anything near line 273, so i don't know why is >> >>>> > this >> >>>> > happening. Can you help me? >> >>>> > >> >>>> > Thank you, >> >>>> > Adam Szabo >> >>>> > >> >>>> > >> >>>> > >> >>>> > ------------------------------------------------------------------------ ------ >> >>>> > Come build with us! The BlackBerry(R) Developer Conference in SF, >> >>>> > CA >> >>>> > is the only developer event you need to attend this year. Jumpstart >> >>>> > your >> >>>> > developing skills, take BlackBerry mobile applications to market >> >>>> > and >> >>>> > stay >> >>>> > ahead of the curve. Join us from November 9 - 12, 2009. Register >> >>>> > now! >> >>>> > http://p.sf.net/sfu/devconference >> >>>> > _______________________________________________ >> >>>> > Snort-users mailing list >> >>>> > Snort-users () lists sourceforge net >> >>>> > Go to this URL to change user options or unsubscribe: >> >>>> > https://lists.sourceforge.net/lists/listinfo/snort-users >> >>>> > Snort-users list archive: >> >>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users >> >>>> > >> >>> >> >>> >> >>> >> >>> >> >>> ------------------------------------------------------------------------ ------ >> >>> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> >>> is the only developer event you need to attend this year. Jumpstart >> >>> your >> >>> developing skills, take BlackBerry mobile applications to market and >> >>> stay >> >>> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> >>> http://p.sf.net/sfu/devconference >> >>> _______________________________________________ >> >>> Snort-users mailing list >> >>> Snort-users () lists sourceforge net >> >>> Go to this URL to change user options or unsubscribe: >> >>> https://lists.sourceforge.net/lists/listinfo/snort-users >> >>> Snort-users list archive: >> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users >> >> >> > >> > >> > >> > ------------------------------------------------------------------------ ------ >> > Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> > is the only developer event you need to attend this year. Jumpstart your >> > developing skills, take BlackBerry mobile applications to market and >> > stay >> > ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> > http://p.sf.net/sfu/devconference >> > _______________________________________________ >> > Snort-users mailing list >> > Snort-users () lists sourceforge net >> > Go to this URL to change user options or unsubscribe: >> > https://lists.sourceforge.net/lists/listinfo/snort-users >> > Snort-users list archive: >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users >> > >> >> >> What exactly is the error you are getting now? >> >> -- >> Nigel Houghton >> Head Mentalist >> SF VRT >> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ > > > ------------------------------------------------------------------------ ------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > Then you aren't using the snort.conf from the tarball with only the edits you say you made. I get no such error with the standard snort.conf. I suggest you go back to step 1, copy the snort.conf to /etc/snort/snort.conf and try running snort with the -T option and probably with the -c option to make sure you are getting the right snort.conf. (you probably want to edit first to make sure your rule path is correct) -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort error config option "detection" ... Adam Szabo (Oct 22)
- Re: snort error config option "detection" ... Matt Olney (Oct 22)
- Re: snort error config option "detection" ... Adam Szabo (Oct 22)
- Re: snort error config option "detection" ... Russ Combs (Oct 22)
- Re: snort error config option "detection" ... Adam Szabo (Oct 24)
- Re: snort error config option "detection" ... Nigel Houghton (Oct 24)
- Re: snort error config option "detection" ... Adam Szabo (Oct 24)
- Re: snort error config option "detection" ... Nigel Houghton (Oct 24)
- Re: snort error config option "detection" ... Adam Szabo (Oct 25)
- Re: snort error config option "detection" ... Gregory.Brunn (Oct 25)
- Re: snort error config option "detection" ... Adam Szabo (Oct 25)
- Re: snort error config option "detection" ... Adam Szabo (Oct 25)
- Re: snort error config option "detection" ... Adam Szabo (Oct 22)
- Re: snort error config option "detection" ... Matt Olney (Oct 22)
- Re: snort error config option "detection" ... Adam Szabo (Oct 22)