Re: Decoder Alerts (config options ignored?)

[Russ Combs <rcombs () sourcefire com>]

This is in the manual (section 2.10.2) and in README.multipleconfigs:

The following config options are specific to each configuration. If not
defined
in a configuration, the default values of the option (not the default
configuration values) take effect.

config checksum_drop
config disable_decode_alerts
config disable_decode_drops
config disable_ipopt_alerts
config disable_ipopt_drops
config disable_tcpopt_alerts
config disable_tcpopt_drops
config disable_tcpopt_experimental_alerts
config disable_tcpopt_experimental_drops
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_obsolete_drops
config disable_ttcp_alerts
config disable_tcpopt_ttcp_alerts
config disable_ttcp_drops

Are you saying that is not working for you?

On Fri, Jan 20, 2012 at 1:34 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:

> There has been a bug in Snort for quite a while when you are using
> multiple configs, the disable_decode stuff is ignored for the extra configs
> (only seems to be respected for the default/main config).  I don’t know if
> that has been fixed in the latest version?****
>
> ** **
>
> *From:* Code Six [mailto:code.c6 () gmail com]
> *Sent:* Thursday, January 19, 2012 10:42 AM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Decoder Alerts (config options ignored?)****
>
> ** **
>
> ** **
>
>
> The last time I e-mailed in about this I don't believe I received a
> response and I ended up simply reverting back to the older version that
> worked fine.
> Well, I've attempted to upgrade again - from 2.8.6.1 to 2.9.2
>
> Here's the issue:
> Even with the following set:
>
>
> config disable_decode_alerts
> config checksum_mode: noudp noip notcp
> config disable_tcpopt_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_ipopt_alerts
>
> I'm still getting the full list of decoder alerts in my traffic.
>
> I start snort with the following options:
> -vv -D -q -u snort -g snort -c /etc/snort/rules/snort.conf -i $INT -F
> /etc/snort/excludes/excludes.config --snaplen 1518
>
> The snaplen set to 1518 seems to help with one particular alert (WARNING:
> IP dgm len > captured len), but I have had to suppress all the decoder
> alerts.
> The one I can't get rid of is  WARNING: Experimental Tcp Options found
> Even though that also is disabled in the config.
>
> This is on an ubuntu machine (lucid) 10.04
>
> Snort was configured with the following options:
> ./configure --enable-64bit-gcc --enable-ipv6 --enable-ppm
> --enable-perfprofiling --enable-linux-smp-stats --enable-pthread
> --enable-ppm-test --enable-reload --with-mysql --enable-large-pcap
> --enable-decoder-preprocessor-rules --enable-dynamicplugin
>
> Any insight is appreciated as I I'm likely just missing something obvious.
>
> Thank you!
>
> A.****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!