[Snort-devel] disabling stream4 alerts

Chris Green cmg at ...402...
Thu May 30 07:17:04 EDT 2002

"Nathan W. Labadie" <ab0781 at ...839...> writes:

> This is with the latest CVS for SNORT_1_8, using linux on an i686.
> I have the following in snort.conf:
> preprocessor stream4: timeout 10, memcap 25165824, disable_evasion_alerts
> preprocessor stream4_reassemble: both, noalerts
> For some reason I'm still getting a _huge_ amount of alerts, all these:
> spp_stream4: TTL EVASION (reassemble) detection
> Is there any way to disable this? I'm 99% sure I have the options in 
> snort.conf correct... any ideas?

ttl_limit 0

to your configuration or move it up

preprocessor stream4: timeout 10, memcap 25165824, disable_evasion_alerts, ttl_limit 0

hrm.  Perhaps I should make disable_evasion_alerts trigger the
ttl_limit one too to eliminate confusion...

Chris Green <cmg at ...402...>
Let not the sands of time get in your lunch.

More information about the Snort-devel mailing list