Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help to configure SNORT

From: Lorenzo Rossi <condor_rl () libero it>
Date: Tue, 23 Dec 2003 23:00:40 +0100
Hi Matt,

I'm sorry to have posted the message to the wrong mailing-list..now I
have anderstand..:)

Thanks for your suggestions!

You know that the default in "snort.conf" for "spp_strem4" is
disable_evasion_alerts.

I have enabled "evasion_alerts" eaven if I did not know well what it
does. I know this is the wrong way to do things... but I was tring to
have the maximum control over the suspicius traffic..
At the beginning my idea was to enable "evasion_alerts" and modify rules
to avoid this control against the servers i know.
Onestly I do not know how to realize this..because I'm still studing the
preprocessors and rules syntax...is not so simple:(

Do you have any suggestions...?

Do you think is a god idea to have "evasion_alerts" enabled eaven if it
cause lots of alerts?

Thk
Lorenzo

Il mar, 2003-12-23 alle 22:40, Matt Kettler ha scritto:

At 04:25 PM 12/23/2003, Lorenzo Rossi wrote:


Could you help me to solve this problem?


Ok, you made it to snort-users... did you get the rest of my message? I 
made the effort to offer some suggestions about your problem itself, and 
you reposted your question without any changes to reflect that you'd tried 
my suggestions.


----------------
You should be able to get rid of these by configuring spp_stream4 with 
disable_evasion_alerts.

This is also the default setting in the default snort.conf, so I'm not sure 
why you've been getting these alerts.
----------------

Do you already have disable_evasion_alerts as a parameter to spp_stream4 in 
your snort.conf?






-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: