[Snort-devel] can't disable spp_stream4 TTL EVASION alerts ?

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Wed Jun 5 08:23:02 EDT 2002

Or... I'm a jack*ss and forgot that I changed ttl_limit to 0.

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Wednesday, June 05, 2002 10:04 AM
To: edwin at ...1392...
Cc: Snort Developers List
Subject: Re: [Snort-devel] can't disable spp_stream4 TTL EVASION alerts ?

Edwin Eefting <edwin at ...1392...> writes:

> I'm using Version 1.9-dev (Build 155) but I still am unable to disable 
> this alert:
>  (spp_stream4) TTL EVASION (reassemble) detection

set ttl_limit 0

> My stream4 settings:
> preprocessor stream4: memcap 64000000, 
> disable_evasion_alerts,noinspect preprocessor stream4_reassemble: 
> noalerts
> Since I've downloaded build 155 (I had build 147 before) I also 
> receive some kind of new alert very often:
>  (snort_decoder) Unknown Datagram decoding problem!
> How can I disable these alerts? (I believe the first one is a bug in 
> spp_stream4, there seems to be a missing check in the sourcecode) I 
> get flooded with these messages.

You can't right now.   It will be added soon.  :-)
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list