[Snort-users] how to stop these UDP TCP alerts?

jlarsson at ...10160... jlarsson at ...10160...
Wed Sep 24 12:27:08 EDT 2003


Do you mean this section... ?  What i mean is that i dont understand what these 
option do and what their explanations mean.. 
 
/Johan 
 
# Configure the snort decoder: 
# ============================ 
# 
# Stop generic decode events: 
# 
# config disable_decode_alerts 
# 
# Stop Alerts on experimental TCP options 
# 
config disable_tcpopt_experimental_alerts 
# 
# Stop Alerts on obsolete TCP options 
# 
config disable_tcpopt_obsolete_alerts 
# 
# Stop Alerts on T/TCP alerts 
# 
config disable_ttcp_alerts 
# 
# Stop Alerts on all other TCPOption type events: 
# 
# config disable_tcpopt_alerts 
# 
# Stop Alerts on invalid ip options 
# 
config disable_ipopt_alerts 
 
 
Quoting Erek Adams <erek at ...950...>: 
 
> On Wed, 24 Sep 2003, jlarsson at ...10160... wrote: 
>  
> > I have scanned through mailinglists looking for which "false alerts" 
> these TCP 
> > checks will stop.   I get the following messages in my alert file 
> > 
> > (snort_decoder): Short UDP packet, length field > payload length 
> > (snort_decoder) WARNING: TCP Header length exceeds packet length! 
> > (snort_decoder): Truncated Tcp Options 
> > 
> > where can i find an explanation of what these means "Stop generic 
> decode event", 
> > "Stop alerts on experimental TCP options", etc. 
>  
> Have a look in snort.conf.  There's a whole section that deals with 
> those 
> types of alerts!  :) 
>  
> ----- 
> Erek Adams 
>  
>    "When things get weird, the weird turn pro."   H.S. Thompson 
>  




More information about the Snort-users mailing list