Snort mailing list archives
Re: Decoder Alerts (config options ignored?)
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 20 Jan 2012 17:52:05 -0500
This is in the manual (section 2.10.2) and in README.multipleconfigs: The following config options are specific to each configuration. If not defined in a configuration, the default values of the option (not the default configuration values) take effect. config checksum_drop config disable_decode_alerts config disable_decode_drops config disable_ipopt_alerts config disable_ipopt_drops config disable_tcpopt_alerts config disable_tcpopt_drops config disable_tcpopt_experimental_alerts config disable_tcpopt_experimental_drops config disable_tcpopt_obsolete_alerts config disable_tcpopt_obsolete_drops config disable_ttcp_alerts config disable_tcpopt_ttcp_alerts config disable_ttcp_drops Are you saying that is not working for you? On Fri, Jan 20, 2012 at 1:34 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote:
There has been a bug in Snort for quite a while when you are using multiple configs, the disable_decode stuff is ignored for the extra configs (only seems to be respected for the default/main config). I don’t know if that has been fixed in the latest version?**** ** ** *From:* Code Six [mailto:code.c6 () gmail com] *Sent:* Thursday, January 19, 2012 10:42 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] Decoder Alerts (config options ignored?)**** ** ** ** ** The last time I e-mailed in about this I don't believe I received a response and I ended up simply reverting back to the older version that worked fine. Well, I've attempted to upgrade again - from 2.8.6.1 to 2.9.2 Here's the issue: Even with the following set: config disable_decode_alerts config checksum_mode: noudp noip notcp config disable_tcpopt_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_ipopt_alerts I'm still getting the full list of decoder alerts in my traffic. I start snort with the following options: -vv -D -q -u snort -g snort -c /etc/snort/rules/snort.conf -i $INT -F /etc/snort/excludes/excludes.config --snaplen 1518 The snaplen set to 1518 seems to help with one particular alert (WARNING: IP dgm len > captured len), but I have had to suppress all the decoder alerts. The one I can't get rid of is WARNING: Experimental Tcp Options found Even though that also is disabled in the config. This is on an ubuntu machine (lucid) 10.04 Snort was configured with the following options: ./configure --enable-64bit-gcc --enable-ipv6 --enable-ppm --enable-perfprofiling --enable-linux-smp-stats --enable-pthread --enable-ppm-test --enable-reload --with-mysql --enable-large-pcap --enable-decoder-preprocessor-rules --enable-dynamicplugin Any insight is appreciated as I I'm likely just missing something obvious. Thank you! A.**** ** ** ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Decoder Alerts (config options ignored?) Code Six (Jan 19)
- Re: Decoder Alerts (config options ignored?) Jefferson, Shawn (Jan 20)
- Re: Decoder Alerts (config options ignored?) Russ Combs (Jan 20)
- Re: Decoder Alerts (config options ignored?) Code Six (Jan 20)
- Re: Decoder Alerts (config options ignored?) Russ Combs (Jan 24)
- Re: Decoder Alerts (config options ignored?) Russ Combs (Jan 20)
- Re: Decoder Alerts (config options ignored?) Jefferson, Shawn (Jan 20)