[Snort-devel] disabling stream4 alerts

Chris Green cmg at ...402...
Thu May 30 07:17:04 EDT 2002


"Nathan W. Labadie" <ab0781 at ...839...> writes:

> This is with the latest CVS for SNORT_1_8, using linux on an i686.
>
> I have the following in snort.conf:
>
> preprocessor stream4: timeout 10, memcap 25165824, disable_evasion_alerts
> preprocessor stream4_reassemble: both, noalerts
>
> For some reason I'm still getting a _huge_ amount of alerts, all these:
>
> spp_stream4: TTL EVASION (reassemble) detection
>
> Is there any way to disable this? I'm 99% sure I have the options in 
> snort.conf correct... any ideas?
>
Add 

ttl_limit 0

to your configuration or move it up

preprocessor stream4: timeout 10, memcap 25165824, disable_evasion_alerts, ttl_limit 0

hrm.  Perhaps I should make disable_evasion_alerts trigger the
ttl_limit one too to eliminate confusion...

-- 
Chris Green <cmg at ...402...>
Let not the sands of time get in your lunch.




More information about the Snort-devel mailing list