|
|
|
|
Snort Forums Archive
Archive Home » Rules » snort_decoder: Experimental TCP options
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
snort_decoder: Experimental TCP options
Posted by TBoNe on March 23, 2005 06:45:23
How can I disable this message? I belive its coming from the snort decoder. I am seeing hundreds of thousands of these and can't seem to figure out where to disable it. I see a refrence to it in gen-mag.map file used by barnyard, but I am not sure if this is were I disable it.
Snort 2.3.2 latest rules
Barnyard 0.2.0 (build 32)
Sguil 0.5.2
Redhat Enterprise 3 |
|
Posted by jimmythegeek on February 06, 2007 18:38:49
You've probably long since moved on, but here goes...
in your snort.conf file, go to the snort decoder section. Uncomment the line:
config disable_tcpopt_experimental_alerts
From the default snort.conf
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
####!!!!!!THIS IS WHAT YOU WANT
# Stop Alerts on experimental TCP options
#
config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
|
|
Posted by mykol_j on June 11, 2008 11:14:53
To show you how timeless these postings are: Thanks! -- it just helped me today... in 2008. |
|
|
|
|
|
