|
|
Snort Forums Archive
Archive Home » Snort Newbies » Anyone seen this before? Not sure how to proceed.
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Anyone seen this before? Not sure how to proceed.
Posted by evlbass705 on March 17, 2005 12:08:59
D:\Snort\etc\snort.conf(246) => Invalid keyword 'preprocessor' for
'global' configuration. Fatal error, Quitting... |
|
Posted by roesch on March 19, 2005 17:18:21
Can you show us what line 246 of the snort.conf file says? Which version of Snort is this?
-Marty
|
|
Posted by morango on March 22, 2005 09:44:34
having same error except on (247)
line 247 reads as: preprocessor http_inspect: global \
|
|
Posted by evlbass705 on March 22, 2005 12:07:14
Hey, I gave a little mis-information, the actual error was this:
ERROR: C:\Snort\etc\snort.conf.$$$(201) => Invalid keyword 'preprocessor' for '
lobal' configuration.
Fatal Error, Quitting..
I'm attempting to use Snort-2_3ORC2
It works fine when I run it from the command line, but I can't get it to start as a service or get IDS to start it successfully. Sorry for the delayed response, I've had a larger than usual number of confused users....
-Keith |
|
Posted by Mike on February 24, 2006 06:23:06
Hi, I have the same problem. Has anybody forund a solution to this? Using IDScenter with snort version 2.4.
Thanks. |
|
Posted by MJM on July 25, 2006 06:17:45
Same problem, line 247, running Snort Version 2.3.2-ODBC-MySQL-FlexRESP-WIN32 (Build 12) with command line:
snort -dev -i2 -l ..\log -c ..\etc\snort.conf
Error is:
ERROR: ..\etc\snort.conf(247) => Invalid keyword 'preprocessor' for 'global' configuration.
Fatal Error, Quitting..
Line 247 is: include C:\Admin\Utilities\Snort\etc\classification.config
My classification.config is:
# $Id: classification.config,v 1.11 2003/10/20 15:03:03 chrisgreen Exp $
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2 |
|
Posted by BrandonGreenwood on July 26, 2006 11:42:31
As a test can you comment out line 247?
-Brandon |
|
Posted by MJM on July 26, 2006 11:50:39
[Posted this over in Windows forum...but I did cut & paste the contents of the included file right into snort.conf (commenting out line 247) and got the same error. Snort & IDSCenter don't inter-operate. All better once I restored the original snort.conf.]
Well apparently IDSCenter overwrites the installed snort.conf with its own version, and the IDSCenter version is incompatible with Snort. I'd recommend that until the IDSCenter is updated and maintained, stay away. It would be a very useful tool, but should probably be removed or marked "deprecated" for now.
|
|
Posted by BrandonGreenwood on July 26, 2006 12:29:24
I didn't even see that reference to IDSCenter. Good that you at least got it squared away.
-Brandon |
|
|
|
