[Snort-devel] Doc Patch? Disabling Decode alerts ....
mark at ...1121...
Mon Nov 4 08:18:09 EST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Chris et al,
I have received a slew of the alerts below, and ended up going to the source
to find out how to disable them. I appreciate that the option itself is
documented, and a search on the option reveals what it does - but trying to
find the error message and relating it back to the option is not quite so
I was wondering about some form of options/features/errors index the
documentation might be useful - would you like one?
Although you have requested packets to debug the decoder with I suspect the
vast majority are from crap IP as stacks - as is the one below.
[**] (snort_decoder) Unknown Datagram decoding problem! [**]
11/04-11:13:17.191767 xx.xx.xx.xx -> xx.xx.xx.xx
ICMP TTL:121 TOS:0x0 ID:23700 IpLen:20 DgmLen:30
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
ORIGINAL DATAGRAM TRUNCATED
select data_payload FROM data WHERE sid=x AND cid=xxxxxx;
| data_payload |
| 000000004500 |
(I'm sending this to the list because: ...
From the release announcement for snort_1_9
. the decoder creates alerts for packets it doesn't understand ( save this
and submit them as BUGS or events ) config disable_decode_alerts to
disable this feature
Mark Vevers. mark at ...1121... / mvevers at ...1209...
Principal Internet Engineer, Internet for Learning,
Research Machines Plc AS 5503
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C C31E 58B5 3D1C B08F 3CA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-devel