[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon May 20 13:25:04 EDT 2002


Asynchlink question...

Nope, we actually don't, but it seemed to be the only way to avoid the large
burden of several evasion alerts that were actually not evasions (our
firewall or core router causes most of them to happen).

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, May 20, 2002 2:14 PM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> The only problem with the new 146 is that I get MASSIVE amounts of 
> alerts from http_decode.  I can't seem to find the documentation on 
> how to get it to shut the f*ck up.

We're still working on it.  This is the first complaint I've heard about it.
I'll go ahead and add the "disable internal alerts" flag sometime soon.

> I've taken out all the little flags (just doing unicode), and it still 
> barks about giant HTTP request and the like.  Fortunately the 
> asynchronous_link for stream4 fixed the excess information we were 
> getting from it.

Do you have an asynchronous_link?
--
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-devel mailing list