[Snort-devel] disabling stream4 alerts
cmg at ...402...
Thu May 30 07:17:04 EDT 2002
"Nathan W. Labadie" <ab0781 at ...839...> writes:
> This is with the latest CVS for SNORT_1_8, using linux on an i686.
> I have the following in snort.conf:
> preprocessor stream4: timeout 10, memcap 25165824, disable_evasion_alerts
> preprocessor stream4_reassemble: both, noalerts
> For some reason I'm still getting a _huge_ amount of alerts, all these:
> spp_stream4: TTL EVASION (reassemble) detection
> Is there any way to disable this? I'm 99% sure I have the options in
> snort.conf correct... any ideas?
to your configuration or move it up
preprocessor stream4: timeout 10, memcap 25165824, disable_evasion_alerts, ttl_limit 0
hrm. Perhaps I should make disable_evasion_alerts trigger the
ttl_limit one too to eliminate confusion...
Chris Green <cmg at ...402...>
Let not the sands of time get in your lunch.
More information about the Snort-devel