Can not stop T/TCP Detected alerts?

[brett <brett () ekit-inc com>]

I am getting a heap of the alerts: 

        [snort] (snort_decoder): T/TCP Detected.

It seems to be triggered by the CC.NEW: field in the TCP options as
below:

Transmission Control Protocol, Src Port: 21776 (21776), Dst Port: smtp
(25), Seq: 2549039317, Ack: 0, Len: 0
    Source port: 21776 (21776)
    Destination port: smtp (25)
    Sequence number: 2549039317
    Header length: 48 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x5ae9 (correct)
    Options: (28 bytes)
        Maximum segment size: 1460 bytes
        NOP
        Window scale: 1 (multiply by 2)
        NOP
        NOP
        Time stamp: tsval 176589, tsecr 0
        NOP
        NOP
        CC.NEW: 1784

I have un-commented the disable ttcp_alerts in snort.config and
restarted snort but am still seeing the alerts?

        # Stop Alerts on T/TCP alerts
        #

        config disable_ttcp_alerts

Any Suggestions?

- Brett



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users