Snort mailing list archives

Snort Preprocessor Option Delimiters

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 16 Jul 2002 13:42:33 -0400

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've run across some strange behavior for a Win32 version of Snort
1.86. The comments in snort.conf indicate that the stream4 and
stream4_reassemble preprocessors use comma delimited options. But
when I use the following statement in snort.conf: 
preprocessor stream4_reassemble: clientonly, ports "default"
Snort indicates that no ports are being monitored. Instead, I have to
use: 
preprocessor stream4_reassemble: clientonly ports "default"
However, if I do the same thing for the stream4 preprocessor: 
preprocessor stream4: disable_evasion_alerts detect_scans
the detect_scans option shows as disabled when Snort starts, so I
have to use a comma to separate these options. 
So, which *should* it be? Comma delimited or not? Is this a bug? 
Also, does anyone know if the "disable_evasion_alerts" option is
enabled by default. The start-up messages displayed by Snort do not
seem to change whether I use this option or not in snort.conf. 


Sincerely,  

L. Christopher Luther  
Technical Consultant  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther () xybernaut com  
http://www.xybernautsolutions.com  

My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------
Unsolicited commercial e-mail will automatically be reported
to the appropriate abuse@ - without exception.
- ------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPTRbCau/XM0hJhuIEQI92ACeOC9BJgzHd4xM1Lyr4ZuTC/pJQ9cAn0yl
mwBWju+bDYSMatkDXcaZdbGX
=29DN
-----END PGP SIGNATURE-----

Current thread:

Snort Preprocessor Option Delimiters L. Christopher Luther (Jul 16)
- Re: Snort Preprocessor Option Delimiters Erek Adams (Jul 16)
- <Possible follow-ups>
- RE: Snort Preprocessor Option Delimiters L. Christopher Luther (Jul 16)