Snort mailing list archives

Re: inconsistency docu vs. snort.conf

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Wed, 25 Jan 2017 12:53:31 +0100

Hi,

I think there are more inconsistencies, e.g. small_segments is not 0 as
stated in https://www.snort.org/faq/readme-stream5
It has been reported at
https://www.reddit.com/r/netsecstudents/comments/5dns4l/creating_content_snort_rules/
so the inconsistency was probably already present in Snort 2.9.8.3, or
maybe even longer

Marcin

On Wed, Jan 25, 2017 at 12:18 PM, Felix Erlacher <felix.erlacher () uibk ac at>
wrote:

Hi all,

I think I just found an inconsistency between the official documentation
and the example snort.conf file.
In the current documentation for Snort 2.9.9 (dated November 14)
available on the snort.org webpage it says on page 46 for the
preprocessor stream5_tcp option "require_3whs" --> "the default is set
to off" and for the session grace period of that option "The default is
”0”".
But in the sample snort.conf file in the snort 2.9.9.0 tarball as well
as the one on the webpage (https://www.snort.org/configurations) the
require_3whs option is enabled and the grace period set to 180 seconds.

The same holds for the "detect_anomalies" option, docu says default is
off, in example snort.conf it is turned on.

greetings

--
Felix Erlacher




------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

inconsistency docu vs. snort.conf Felix Erlacher (Jan 25)
- Re: inconsistency docu vs. snort.conf Marcin Dulak (Jan 25)
- Re: inconsistency docu vs. snort.conf Joel Esler (jesler) (Jan 25)
  - Re: inconsistency docu vs. snort.conf Marcin Dulak (Jan 25)