|
|
|
|
Snort Forums Archive
Archive Home » Snort Advanced » Rule threshholding
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Rule threshholding
Posted by mishka on August 12, 2005 07:30:30
I am running a checkpoint cluster on my network.
Since I have upgraded to version 2.4 I am getting a lot of "(snort decoder) Bad Traffic Same Src/Dst IP" alerts, when the ip is the VIP of the cluster.
I cannot make these alerts go away!.
I have tried thresholding with sid 527 but since the upgrade it is not working.
Can somebody help? |
|
Posted by roesch on August 18, 2005 20:13:13
It's a bug in 2.4.0, here's a patch to turn it off. Apply it and disable decoder alerts in the snort.conf file.
--- decode.c.orig 2005-08-15 09:21:28.000000000 -0400
+++ decode.c 2005-08-17 12:35:33.000000000 -0400
@@ -2081,7 +2081,10 @@
/*
* IP Header tests: Land attack, and Loop back test
*/
- IPHdrTests( p->iph );
+ if((runMode == MODE_IDS) && pv.decoder_flags.decode_alerts)
+ {
+ IPHdrTests( p->iph );
+ }
|
|
Posted by roesch on August 18, 2005 20:14:03
Sorry, use this patch:
--- decode.c.orig 2005-08-15 09:21:28.000000000 -0400
+++ decode.c 2005-08-17 12:35:33.000000000 -0400
@@ -2081,7 +2081,10 @@
/*
* IP Header tests: Land attack, and Loop back test
*/
- IPHdrTests( p->iph );
+ if((runMode == MODE_IDS) && pv.decoder_flags.decode_alerts)
+ {
+ IPHdrTests( p->iph );
+ }
if(pv.checksums_mode & DO_IP_CHECKSUMS)
|
|
Posted by mishka on August 20, 2005 23:50:13
Hmmm,
I am having a hard time implementing the patch. |
|
|
|
|
|
