Re: Preprocessor Question.

["David A." <ti1ion2005 () gmail com>]

Thanks again.  I will take a look at what I can do with the default config
file.

On Tue, Mar 1, 2016 at 10:55 AM, Al Lewis (allewi) <allewi () cisco com> wrote:

> It does. But running snort in IDS mode with NO preprocessors doesn’t make
> much sense. It will make an evasion pretty trivial and give you a gang of
> false positives.
>
>
>
> I would suggest you start with the default snort config running the latest
> version of snort from the site. Then scale back/enable things you need from
> that point.
>
>
>
> Let us know how it goes!
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* David A. [mailto:ti1ion2005 () gmail com]
> *Sent:* Tuesday, March 01, 2016 10:23 AM
> *To:* Al Lewis (allewi)
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Preprocessor Question.
>
>
>
> Thank you for the reply.  I will work on enabling (or configuring and
> disabling) one, or both, preprocessors to remove the warning.
>
>
> In my scenario, and I am new to using Snort, I am making limited use of
> its capabilities to mostly log everything and pass it to a syslog server --
> Kiwi in my case, where I have created filters based on alerts I would like
> to receive.
>
> I realize that my use of Snort is very basic.  I just wish the new version
> would provide output like the old one, instead of adding this warning to
> seemingly every packet it logs.
>
>
>
> On Tue, Mar 1, 2016 at 9:06 AM, Al Lewis (allewi) <allewi () cisco com>
> wrote:
>
> Without any preprocessors enabled you wont get much use as stream5 and/or
> frag should be enabled almost always for any type of inspection.
>
>
>
> Are you just trying to log traffic or inspect it?
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* David A. [mailto:ti1ion2005 () gmail com]
> *Sent:* Tuesday, March 01, 2016 8:43 AM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Preprocessor Question.
>
>
>
> Hello everyone,
>
> I am currently using Snort version 2.9.6.0 successfully with a very
> simple, custom snort.conf file that defines a few variables, allows some
> traffic to be ignored and then forwards everything else to a syslog server.
>
> Recently, I have set up a second machine -- in this case a Raspberry Pi --
> with Snort 2.9.7.0-3 and intend to use it the same way as the previous
> system.  However, it seems that the new version of Snort has introduced
> functionality that adds a "WARNING: No preprocessors configured for policy
> 0" to everything Snort processes.  I am not using preprocessors and don't
> have anything defined in my snort.conf.  I am not using decoders and don't
> have them defined, either.  I tried the "autoconfigure" command in my
> snort.conf, but that did not do anything.  As a result, my logs are filling
> up with this warning message and I have not been able to find a way of
> stopping it.
>
> I have Googled this issue and the answer always comes back to reading the
> Snort manual (I have read the portions linked) and defining preprocessors.
> I don't have any preprocessors and don't wish to have any.  Is there
> something I can do to stop Snort from issuing this warning?
>
> Thank you for your help.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!