Snort mailing list archives
Re: 'conifg stateful' option
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 14 Nov 2013 00:11:38 +0000
The stream4 stuff is not in the config.. it's all stream 5. This comment was up with the other config options (disable_decode_alerts, ttcp_alerts, etc). On Wed, Nov 13, 2013 at 11:59 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 11/13/2013 6:17 PM, Jeremy Hoel wrote:We noticed that our snort boxes didn't trigger on a rule that was reported by an upstream provider. Taking the pcaps and playing them back against a stock snort.conf shows that the rule triggers. Once of the differences between the configs is that ours included "config stateful". From most of the documentation, this is a holdover from the stream4 processor and we are configured to use stream5 (2.9.5.5), but when that statement was in the config, the udp packets wouldn't trigger the rule. Comment it out and it did.do you still have any stream4 config stuff in your configs? i've been under the impression that since stream5 came out, all stream4 stuff should be completely removed from one's config... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- 'conifg stateful' option Jeremy Hoel (Nov 13)
- Re: 'conifg stateful' option waldo kitty (Nov 13)
- Re: 'conifg stateful' option Jeremy Hoel (Nov 13)
- Re: 'conifg stateful' option waldo kitty (Nov 13)