Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Windows » Invalid keyword 'preprocessor' for 'global' configuration.

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Invalid keyword 'preprocessor' for 'global' configuration.


Posted by MJM on July 25, 2006 08:10:38

Having a problem with snort.conf (or included classification.config, possibly with "config classification" interpretation ? cut & paste of that file in place of include did not help), line 247 of snort.conf, running Snort Version 2.3.2-ODBC-MySQL-FlexRESP-WIN32 (Build 12) with command line:

snort -dev -i2 -l ..\log -c ..\etc\snort.conf

Error is:
ERROR: ..\etc\snort.conf(247) => Invalid keyword 'preprocessor' for 'global' configuration.
Fatal Error, Quitting..

Line 247 is: include C:\Admin\Utilities\Snort\etc\classification.config

My classification.config is:

# $Id: classification.config,v 1.11 2003/10/20 15:03:03 chrisgreen Exp $
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#

#
# config classification:shortname,short description,priority
#

config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1


# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2

Posted by MJM on July 26, 2006 04:41:53

Well apparently IDSCenter overwrites the installed snort.conf with its own version, and the IDSCenter version is incompatible with Snort. I'd recommend that until the IDSCenter is updated and maintained, stay away. It would be a very useful tool, but should probably be removed or marked "deprecated" for now.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.