Re: Snort Preprocessor Option Delimiters

[Erek Adams <erek () theadamsfamily net>]

On Tue, 16 Jul 2002, L. Christopher Luther wrote:

> I've run across some strange behavior for a Win32 version of Snort
> 1.86. The comments in snort.conf indicate that the stream4 and
> stream4_reassemble preprocessors use comma delimited options.

[...snip...]

> So, which *should* it be? Comma delimited or not? Is this a bug?

It's never a bug, it's a 'unknown software feature'.  :)

Long ago, each preprocessor had thier own parsers within them.  Now things are
changing and moving to a much more standardized method.

(see below)

> Also, does anyone know if the "disable_evasion_alerts" option is
> enabled by default. The start-up messages displayed by Snort do not
> seem to change whether I use this option or not in snort.conf.

I would suggest upgrading to 1.8.7 if you can.  There was quite a bit of
change in the parsing code, and in the stream4 processor.  I'm not saying this
will 'fix' everything, but it would put you on the most solid codebase to work
from.

If you do update to 1.8.7, you'll want to also set the ttl_min value.  There's
been some recent postings on that, so check the archives for the discussion
and use of this.  Note:  It's for 1.8.7, and not 1.8.6.  :-/

Cheers!


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users