[Snort-devel] Doc Patch? Disabling Decode alerts ....

Mark Vevers mark at ...1121...
Mon Nov 4 08:18:09 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris et al,

I have received a slew of the alerts below, and ended up going to the source 
to find out how to disable them.  I appreciate that the option itself is 
documented, and a search on the option reveals what it does - but trying to 
find the error message and relating it back to the option is not quite so 
trivial.

I was wondering about some form of options/features/errors index the 
documentation might be useful - would you like one?

Although you have requested packets to debug the decoder with I suspect the 
vast majority are from crap IP as stacks - as is the one below.

Cheers
Mark

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] (snort_decoder) Unknown Datagram decoding problem! [**]
11/04-11:13:17.191767 xx.xx.xx.xx -> xx.xx.xx.xx
ICMP TTL:121 TOS:0x0 ID:23700 IpLen:20 DgmLen:30
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
ORIGINAL DATAGRAM TRUNCATED
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
select data_payload FROM data WHERE sid=x AND cid=xxxxxx;
+--------------+
| data_payload |
+--------------+
| 000000004500 |

(I'm sending this to the list because: ...
  From the release announcement for snort_1_9

   .  the decoder creates alerts for packets it doesn't understand ( save this
     and submit them as BUGS or events ) config disable_decode_alerts to
     disable this feature 



- -- 
Mark Vevers.    mark at ...1121... / mvevers at ...1209...
Principal Internet Engineer, Internet for Learning,
Research Machines Plc  AS 5503
- --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C   C31E 58B5 3D1C B08F 3CA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9xp2ZWLU9HLCPPKMRAjclAJ9Vq1xlRZxLGrGfJiGyeF0HBxED+ACgik3U
GdcZ4e48nBIRhNwQ0QqaDLc=
=T3mr
-----END PGP SIGNATURE-----





More information about the Snort-devel mailing list