[Snort-devel] can't disable spp_stream4 TTL EVASION alerts ?

Chris Green cmg at ...402...
Wed Jun 5 08:08:03 EDT 2002


Edwin Eefting <edwin at ...1392...> writes:

> I'm using Version 1.9-dev (Build 155) but I still am unable to disable
> this alert:
>
>  (spp_stream4) TTL EVASION (reassemble) detection

set ttl_limit 0

>
> My stream4 settings:
> preprocessor stream4: memcap 64000000, disable_evasion_alerts,noinspect
> preprocessor stream4_reassemble: noalerts 
>
>
> Since I've downloaded build 155 (I had build 147 before) I also receive
> some kind of new alert very often:
>
>  (snort_decoder) Unknown Datagram decoding problem! 
>
> How can I disable these alerts? (I believe the first one is a bug in
> spp_stream4, there seems to be a missing check in the sourcecode)
> I get flooded with these messages.


You can't right now.   It will be added soon.  :-)
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list