[Snort-users] Snort Preprocessor Option Delimiters

Erek Adams erek at ...577...
Tue Jul 16 12:08:06 EDT 2002


On Tue, 16 Jul 2002, L. Christopher Luther wrote:

> I've run across some strange behavior for a Win32 version of Snort
> 1.86. The comments in snort.conf indicate that the stream4 and
> stream4_reassemble preprocessors use comma delimited options.

[...snip...]

> So, which *should* it be? Comma delimited or not? Is this a bug?

It's never a bug, it's a 'unknown software feature'.  :)

Long ago, each preprocessor had thier own parsers within them.  Now things are
changing and moving to a much more standardized method.

(see below)

> Also, does anyone know if the "disable_evasion_alerts" option is
> enabled by default. The start-up messages displayed by Snort do not
> seem to change whether I use this option or not in snort.conf.

I would suggest upgrading to 1.8.7 if you can.  There was quite a bit of
change in the parsing code, and in the stream4 processor.  I'm not saying this
will 'fix' everything, but it would put you on the most solid codebase to work
from.

If you do update to 1.8.7, you'll want to also set the ttl_min value.  There's
been some recent postings on that, so check the archives for the discussion
and use of this.  Note:  It's for 1.8.7, and not 1.8.6.  :-/

Cheers!


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list