Snort mailing list archives
Decoder Alerts (config options ignored?)
From: Code Six <code.c6 () gmail com>
Date: Thu, 19 Jan 2012 12:42:02 -0600
The last time I e-mailed in about this I don't believe I received a response and I ended up simply reverting back to the older version that worked fine. Well, I've attempted to upgrade again - from 2.8.6.1 to 2.9.2 Here's the issue: Even with the following set: config disable_decode_alerts config checksum_mode: noudp noip notcp config disable_tcpopt_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_ipopt_alerts I'm still getting the full list of decoder alerts in my traffic. I start snort with the following options: -vv -D -q -u snort -g snort -c /etc/snort/rules/snort.conf -i $INT -F /etc/snort/excludes/excludes.config --snaplen 1518 The snaplen set to 1518 seems to help with one particular alert (WARNING: IP dgm len > captured len), but I have had to suppress all the decoder alerts. The one I can't get rid of is WARNING: Experimental Tcp Options found Even though that also is disabled in the config. This is on an ubuntu machine (lucid) 10.04 Snort was configured with the following options: ./configure --enable-64bit-gcc --enable-ipv6 --enable-ppm --enable-perfprofiling --enable-linux-smp-stats --enable-pthread --enable-ppm-test --enable-reload --with-mysql --enable-large-pcap --enable-decoder-preprocessor-rules --enable-dynamicplugin Any insight is appreciated as I I'm likely just missing something obvious. Thank you! A.
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Decoder Alerts (config options ignored?) Code Six (Jan 19)
- Re: Decoder Alerts (config options ignored?) Jefferson, Shawn (Jan 20)
- Re: Decoder Alerts (config options ignored?) Russ Combs (Jan 20)
- Re: Decoder Alerts (config options ignored?) Code Six (Jan 20)
- Re: Decoder Alerts (config options ignored?) Russ Combs (Jan 24)
- Re: Decoder Alerts (config options ignored?) Russ Combs (Jan 20)
- Re: Decoder Alerts (config options ignored?) Jefferson, Shawn (Jan 20)