[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon May 20 09:20:01 EDT 2002


The only problem with the new 146 is that I get MASSIVE amounts of alerts
from http_decode.  I can't seem to find the documentation on how to get it
to shut the f*ck up.  I've taken out all the little flags (just doing
unicode), and it still barks about giant HTTP request and the like.
Fortunately the asynchronous_link for stream4 fixed the excess information
we were getting from it. 

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, May 20, 2002 11:16 AM
To: Kreimendahl, Chad J
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> In what build of snort was the use of multiple flow arguments 
> introduced?

Dunno - 4/07/02 was when the keyword was introduced
>
> I just tested it with build 126, and the rule I changed stopped 
> hitting.

That's ancient for the 1.9 series :-)
-- 
Chris Green <cmg at ...402...>
Eschew obfuscation.




More information about the Snort-devel mailing list