Snort mailing list archives

Re: troubleshooting snort

From: "Seth Dunn" <seth () d2ms com>
Date: Tue, 4 Jun 2013 07:49:55 -0400

Looking at your snort.conf file, try putting a space between the '#' and
the first character.
Also you can try commenting out  the preprocessor lines also.

# preprocessor stream5_tcp

# preprocessor stream5_udp

 

# Does nothing in IDS mode

# preprocessor normalize_ip4

# preprocessor normalize_tcp: ips ecn stream

# preprocessor normalize_icmp4

# preprocessor normalize_ip6

# preprocessor normalize_icmp6

 

# Target-based IP defragmentation.  For more inforation, see
README.frag3

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy linux timeout 180 detect_anomalies  

 #policy windows detect_anomalies timeout 180 overlap_limit 10
min_fragment_length 100 

 

# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5

preprocessor stream5_global: track_tcp yes, \

   track_udp yes, \

   track_icmp no, \ 

   max_tcp 262144, \

   max_udp 131072, \

   #max_active_responses 2, \

   #min_response_seconds 5 

# preprocessor stream5_tcp: policy first, use_static_footprint_sizes, 

ports client*

* 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110
111

161 445 513 514 691 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668
6669

7000 8000*

* 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778

32779, ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900
7901

7902 7903 790*

*4 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918

7919 7920*

# preprocessor stream5_udp: timeout 180, ignore_any_rules

 

From: Russ Combs [mailto:rcombs () sourcefire com] 
Sent: Tuesday, June 04, 2013 7:18 AM
To: Seth Dunn
Cc: soukaina mzerda; snort-users () lists sourceforge net
Subject: Re: [Snort-users] troubleshooting snort

 

Look carefully at stream5_global and make sure that there isn't a line
continuation ( '\' ) at the end of those options causing stream5_tcp to
appear as one of them.  stream5_global and stream5_tcp must be separate.

On Tue, Jun 4, 2013 at 7:05 AM, Seth Dunn <seth () d2ms com> wrote:

Go to that line in your snort.conf file and comment it out, and try
again

 

From: soukaina mzerda [mailto:soukaina.mz () gmail com] 
Sent: Tuesday, June 04, 2013 7:03 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] troubleshooting snort

 

hi ,

I've configured snort on ubuntu with all pakeges needed , but I'm facing
here some troubles while runnin snort on IDS mode saying that

( ERROR: /etc/snort/etc/snort.conf(283) => Unknown Stream5 global option
(preprocessor stream5_tcp: policy first)

Fatal Error, Quitting..)

Please I need help , I've done all the configuration and I have to
complete this by the end of the day heeeeeeeeeeelp!

 


------------------------------------------------------------------------
------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

troubleshooting snort soukaina mzerda (Jun 04)
- Re: troubleshooting snort Seth Dunn (Jun 04)
  - Re: troubleshooting snort Russ Combs (Jun 04)
    - Re: troubleshooting snort Seth Dunn (Jun 04)
    - Re: troubleshooting snort Russ Combs (Jun 04)
    - Message not available
    - Message not available
    - Message not available
    - Re: troubleshooting snort Russ Combs (Jun 04)
- <Possible follow-ups>
- Re: troubleshooting snort James Lay (Jun 05)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: troubleshooting snort James Lay (Jun 05)
- troubleshooting snort soukaina mzerda (Jun 06)
  - Re: troubleshooting snort Mikey van der Worp (Jun 06)
  - Re: troubleshooting snort waldo kitty (Jun 06)