[Snort-users] Help to configure SNORT
condor_rl at ...2470...
Tue Dec 23 14:02:03 EST 2003
I'm sorry to have posted the message to the wrong mailing-list..now I
Thanks for your suggestions!
You know that the default in "snort.conf" for "spp_strem4" is
I have enabled "evasion_alerts" eaven if I did not know well what it
does. I know this is the wrong way to do things... but I was tring to
have the maximum control over the suspicius traffic..
At the beginning my idea was to enable "evasion_alerts" and modify rules
to avoid this control against the servers i know.
Onestly I do not know how to realize this..because I'm still studing the
preprocessors and rules syntax...is not so simple:(
Do you have any suggestions...?
Do you think is a god idea to have "evasion_alerts" enabled eaven if it
cause lots of alerts?
Il mar, 2003-12-23 alle 22:40, Matt Kettler ha scritto:
> At 04:25 PM 12/23/2003, Lorenzo Rossi wrote:
> >Could you help me to solve this problem?
> Ok, you made it to snort-users... did you get the rest of my message? I
> made the effort to offer some suggestions about your problem itself, and
> you reposted your question without any changes to reflect that you'd tried
> my suggestions.
> You should be able to get rid of these by configuring spp_stream4 with
> This is also the default setting in the default snort.conf, so I'm not sure
> why you've been getting these alerts.
> Do you already have disable_evasion_alerts as a parameter to spp_stream4 in
> your snort.conf?
More information about the Snort-users