Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Alerts

From: Erek Adams <erek () snort org>
Date: Wed, 23 Apr 2003 12:32:58 -0400 (EDT)
On Wed, 23 Apr 2003, Artur Bittencourt wrote:


         I have the same situation here. After I?ve upgraded to Snort 2.0.0
I?ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP
Detected" on my e-mail server. How do I turn this rule off ?


Did you upgrade your snort.conf?  If not, you need to.

Then have a look in it.  Up near the top, you'll see something like:

  # Configure the snort decoder:
  # ============================
  #
  # Stop generic decode events:
  #
  # config: disable_decode_alerts
  #
  # Stop Alerts on experimental TCP options
  #
  # config: disable_tcpopt_experimental_alerts
  #
  # Stop Alerts on obsolete TCP options
  #
  # config: disable_tcpopt_obsolete_alerts
  #
  # Stop Alerts on T/TCP alerts
  #
  # config: disable_ttcp_alerts
  #
  # Stop Alerts on all other TCPOption type events:
  #
  # config: disable_tcpopt_alerts
  #
  # Stop Alerts on invalid ip options
  # config: disable_ipopt_alerts


Uncomment the disable_ttcp_alerts line.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: