[Snort-devel] Re: [Snort-users] spp_stream4 alerts "un-disable-able" ? :-)

bit edwin at ...1392...
Fri May 24 04:34:04 EDT 2002


----- Original Message -----
From: "Chris Green" <cmg at ...402...>
To: <edwin at ...1392...>
Cc: "'Snort List (E-mail)'" <snort-users at lists.sourceforge.net>
Sent: Thursday, May 23, 2002 7:42 PM
Subject: Re: [Snort-users] spp_stream4 alerts "un-disable-able" ? :-)

> Edwin Eefting <edwin at ...1392...> writes:
>
> > Hi,
> >
> > I can't seem to disable the new fragroute detection alerts in snort
Version
> > 1.9-dev (Build 147).
>
> > #preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes
16384
> > preprocessor stream4: memcap 64000000 disable_evasion_alerts
>
> You are missing a comma between 64000000 & disable_evasion_alerts

Well, i've changed the stream4 settings to:
preprocessor stream4: memcap 64000000, disable_evasion_alerts,noinspect
preprocessor stream4_reassemble: noalerts

And now I only get flooded with these messages:
 (spp_stream4) TTL EVASION (reassemble) detection


Anyway to disable this one to?
Thanks

Edwin





More information about the Snort-devel mailing list