| Anonymous | Login | 2025-10-27 04:19 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |||
| 0000849 | PacketFence | public | 2009-11-12 13:52 | 2011-01-26 15:43 | ||||
| Reporter | obilodeau | |||||||
| Assigned To | obilodeau | |||||||
| Priority | high | Severity | minor | Reproducibility | sometimes | |||
| Status | closed | Resolution | fixed | |||||
| Platform | OS | OS Version | ||||||
| Product Version | ||||||||
| Target Version | Fixed in Version | |||||||
| Summary | 0000849: snort default config syntax error | |||||||
| Description | Our default snort config uses the flow preprocessor. According to snort's changelog its not there since 2008-10-03 which would be something like 2.8.x. stream5 would be a contender to replace the flow preprocessor. We would need to fix our default template. | |||||||
| Tags | No tags attached. | |||||||
| fixed in git revision | ||||||||
| fixed in mtn revision | ||||||||
| Attached Files | ||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0001397) obilodeau (reporter) 2009-11-13 10:16 |
It seems that although flow is not listed in snort's preprocessors, it is still accepted as a valid preprocessor. The problem is not there. It's more about the parameters. Here's the fix, change: > - from: preprocessor flow: memcap 262144000, stats_interval 0, hash 2 > - to: preprocessor flow: memcap 262144000 stats_interval 0 hash 2 in conf/templates/snort.conf I would need to test that in the lab. |
|
(0001404) obilodeau (reporter) 2009-11-17 16:47 |
following the above comment guideline does get you further, however, as soon as pfdetect hooks on the var/alert file then snort issues a fatal error:
[root@pf-dev pf]# /usr/sbin/snort -u pf -c /usr/local/pf/conf/snort.conf -i eth1 -N -l /usr/local/pf/var
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/pf/conf/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'ORACLE_PORTS' defined : [ 1521 ]
PortVar 'SHELLCODE_PORTS' defined : [ any ]
Tagged Packet Limit: 256
Log directory = /usr/local/pf/var
PerfMonitor config:
Time: 600 seconds
Flow Stats: ACTIVE
Event Stats: INACTIVE
Max Perf Stats: ACTIVE
Console Mode: INACTIVE
File Mode: /usr/local/pf/logs/snortstat
SnortFile Mode: INACTIVE
Packet Count: 90000
Dump Summary: No
Max file size: 2147483648
ERROR: /usr/local/pf/conf/snort.conf(25) Unknown preprocessor: "flow".
Fatal Error, Quitting..
|
|
(0001407) obilodeau (reporter) 2009-11-19 14:45 |
took default preprocessors from /etc/snort/snort.conf fixed in 1.8 branch: http://mtn.inverse.ca/revision/info/4035cca68326bfae23143f7b9eb036233d3bf6fa [^] will be ported to 1.9 a test case has been added to check for that behavior also (pfdetect stops after tailing the snort pipe) |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-11-12 13:52 | obilodeau | New Issue | |
| 2009-11-12 13:52 | obilodeau | Status | new => assigned |
| 2009-11-12 13:52 | obilodeau | Assigned To | => obilodeau |
| 2009-11-13 10:16 | obilodeau | Note Added: 0001397 | |
| 2009-11-13 14:10 | obilodeau | Summary | snort doesn't support flow preprocessor => snort default config syntax error |
| 2009-11-17 16:47 | obilodeau | Note Added: 0001404 | |
| 2009-11-19 14:45 | obilodeau | Note Added: 0001407 | |
| 2009-11-19 14:45 | obilodeau | Status | assigned => resolved |
| 2009-11-19 14:45 | obilodeau | Resolution | open => fixed |
| 2011-01-26 15:43 | obilodeau | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |