[Snort-users] Help to configure SNORT

Lorenzo Rossi condor_rl at ...2470...
Tue Dec 23 14:02:03 EST 2003


Hi Matt,

I'm sorry to have posted the message to the wrong mailing-list..now I
have anderstand..:)

Thanks for your suggestions!

You know that the default in "snort.conf" for "spp_strem4" is
disable_evasion_alerts.

I have enabled "evasion_alerts" eaven if I did not know well what it
does. I know this is the wrong way to do things... but I was tring to
have the maximum control over the suspicius traffic..
At the beginning my idea was to enable "evasion_alerts" and modify rules
to avoid this control against the servers i know.
Onestly I do not know how to realize this..because I'm still studing the
preprocessors and rules syntax...is not so simple:(

Do you have any suggestions...?

Do you think is a god idea to have "evasion_alerts" enabled eaven if it
cause lots of alerts?

Thk
Lorenzo

Il mar, 2003-12-23 alle 22:40, Matt Kettler ha scritto:
> At 04:25 PM 12/23/2003, Lorenzo Rossi wrote:
> 
> >Could you help me to solve this problem?
> 
> Ok, you made it to snort-users... did you get the rest of my message? I 
> made the effort to offer some suggestions about your problem itself, and 
> you reposted your question without any changes to reflect that you'd tried 
> my suggestions.
> 
> 
> ----------------
> You should be able to get rid of these by configuring spp_stream4 with 
> disable_evasion_alerts.
> 
> This is also the default setting in the default snort.conf, so I'm not sure 
> why you've been getting these alerts.
> ----------------
> 
> Do you already have disable_evasion_alerts as a parameter to spp_stream4 in 
> your snort.conf?
> 
> 





More information about the Snort-users mailing list