IPS error on expert mode, ssl_version

I’ve been trying to implement snort with Nethserv for several days, but I cant get it working.
I get this error when Expert mode is enabled:
FATAL ERROR: /etc/snort/rules/snort.rules(6794) Unknown rule option: 'ssl_version'.
This happens because the ssl prepocessor is disabled, but snort.config on nethserv has no option to enable ssl prepocessor and it says it is not editable.
Also snort process stops on expert mode: snort dead but subsys locked.
So, if I can’t edit snort.config what should I do to edit snort configurations to enable ssl preprocessor? Do I really need to add it?

@filippo_carletti @Nas @JOduMonT @fasttech @Linux4All @jackyes or @EddieA might be help you out

1 Like

# ssl_version
in disablesid.conf.
See I want to personalize Snort?


I had a look at this on an updated ns7b1.
Near as I can tell, sslv3 is a problem, don’t know why, but once I identified all the rules referencing sslv3 I got a successful snort start.

1:2019415 1:2019416 1:2019417 1:2019418

I also got a successful hit with a test page.

The issue I’m having is that it’s only seeing traffic directed to the NS node, it’s not seeing network traffic to other nodes even though it’s on taps, it’s like the interfaces are not in promisc. I remember it was described as a different snort setup, something through e-smith… I can’t remember, my thought is it’s setup to scan traffic passing through, say as a gateway, ext to int, and so the interfaces aren’t set to promisc, so it can’t work as a standalone ids on taps. Am I right? Can this be an option?


@filippo_carletti, did the same as @fasttech and it’s working, just got some erros then figured out the other two rules I had to disable. Thank you!!
Just one more question, If I have a rule in another file, how can I add it to enablesid.config?