[Snort-users] Strange Alerts

Erek Adams erek at ...950...
Wed Apr 23 09:36:02 EDT 2003


On Wed, 23 Apr 2003, Artur Bittencourt wrote:

>          I have the same situation here. After I�ve upgraded to Snort 2.0.0
> I�ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP
> Detected" on my e-mail server. How do I turn this rule off ?

Did you upgrade your snort.conf?  If not, you need to.

Then have a look in it.  Up near the top, you'll see something like:

  # Configure the snort decoder:
  # ============================
  #
  # Stop generic decode events:
  #
  # config: disable_decode_alerts
  #
  # Stop Alerts on experimental TCP options
  #
  # config: disable_tcpopt_experimental_alerts
  #
  # Stop Alerts on obsolete TCP options
  #
  # config: disable_tcpopt_obsolete_alerts
  #
  # Stop Alerts on T/TCP alerts
  #
  # config: disable_ttcp_alerts
  #
  # Stop Alerts on all other TCPOption type events:
  #
  # config: disable_tcpopt_alerts
  #
  # Stop Alerts on invalid ip options
  # config: disable_ipopt_alerts


Uncomment the disable_ttcp_alerts line.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list