[Snort-users] 'conifg stateful' option

Jeremy Hoel jthoel at ...11827...
Wed Nov 13 19:11:38 EST 2013

The stream4 stuff is not in the config.. it's all stream 5.  This
comment was up with the other config options (disable_decode_alerts,
ttcp_alerts, etc).

On Wed, Nov 13, 2013 at 11:59 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 11/13/2013 6:17 PM, Jeremy Hoel wrote:
>> We noticed that our snort boxes didn't trigger on a rule that was
>> reported by an upstream provider.  Taking the pcaps and playing them
>> back against a stock snort.conf shows that the rule triggers. Once of
>> the differences between the configs is that ours included "config
>> stateful". From most of the documentation, this is a holdover from the
>> stream4 processor and we are configured to use stream5 (, but
>> when that statement was in the config, the udp packets wouldn't
>> trigger the rule.  Comment it out and it did.
> do you still have any stream4 config stuff in your configs? i've been under the
> impression that since stream5 came out, all stream4 stuff should be completely
> removed from one's config...
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list