[Snort-users] Snort Preprocessor Option Delimiters

L. Christopher Luther CLuther at ...6333...
Tue Jul 16 10:43:04 EDT 2002

Hash: SHA1

I've run across some strange behavior for a Win32 version of Snort
1.86. The comments in snort.conf indicate that the stream4 and
stream4_reassemble preprocessors use comma delimited options. But
when I use the following statement in snort.conf: 
preprocessor stream4_reassemble: clientonly, ports "default"
Snort indicates that no ports are being monitored. Instead, I have to
preprocessor stream4_reassemble: clientonly ports "default"
However, if I do the same thing for the stream4 preprocessor: 
preprocessor stream4: disable_evasion_alerts detect_scans
the detect_scans option shows as disabled when Snort starts, so I
have to use a comma to separate these options. 
So, which *should* it be? Comma delimited or not? Is this a bug? 
Also, does anyone know if the "disable_evasion_alerts" option is
enabled by default. The start-up messages displayed by Snort do not
seem to change whether I use this option or not in snort.conf. 


L. Christopher Luther  
Technical Consultant  
Xybernaut Solutions, Inc.  
(703) 506-0400 x230  
cluther at ...6331...  

My PGP Public Key:  

CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 506-0400. 

- ------------------------------------------------------------
Unsolicited commercial e-mail will automatically be reported
to the appropriate abuse@ - without exception.
- ------------------------------------------------------------

Version: PGP 7.1.1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020716/8644f936/attachment.html>

More information about the Snort-users mailing list