Snort mailing list archives
Re: Help to configure SNORT
From: Lorenzo Rossi <condor_rl () libero it>
Date: Tue, 23 Dec 2003 23:00:40 +0100
Hi Matt, I'm sorry to have posted the message to the wrong mailing-list..now I have anderstand..:) Thanks for your suggestions! You know that the default in "snort.conf" for "spp_strem4" is disable_evasion_alerts. I have enabled "evasion_alerts" eaven if I did not know well what it does. I know this is the wrong way to do things... but I was tring to have the maximum control over the suspicius traffic.. At the beginning my idea was to enable "evasion_alerts" and modify rules to avoid this control against the servers i know. Onestly I do not know how to realize this..because I'm still studing the preprocessors and rules syntax...is not so simple:( Do you have any suggestions...? Do you think is a god idea to have "evasion_alerts" enabled eaven if it cause lots of alerts? Thk Lorenzo Il mar, 2003-12-23 alle 22:40, Matt Kettler ha scritto:
At 04:25 PM 12/23/2003, Lorenzo Rossi wrote:Could you help me to solve this problem?Ok, you made it to snort-users... did you get the rest of my message? I made the effort to offer some suggestions about your problem itself, and you reposted your question without any changes to reflect that you'd tried my suggestions. ---------------- You should be able to get rid of these by configuring spp_stream4 with disable_evasion_alerts. This is also the default setting in the default snort.conf, so I'm not sure why you've been getting these alerts. ---------------- Do you already have disable_evasion_alerts as a parameter to spp_stream4 in your snort.conf?
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help to configure SNORT Lorenzo Rossi (Dec 23)
- Re: Help to configure SNORT Matt Kettler (Dec 23)
- Re: Help to configure SNORT Lorenzo Rossi (Dec 23)
- Re: Help to configure SNORT Matt Kettler (Dec 24)
- Re: Help to configure SNORT Lorenzo Rossi (Dec 23)
- <Possible follow-ups>
- Help to configure SNORT Lorenzo Rossi (Dec 30)
- Re: Help to configure SNORT Matt Kettler (Dec 23)