The Snort decoder watches the structure of network packets to make sure they are constructed according to specification. If a packet has a strange size, strangely set options, or uncommon settings, Snort will generate an alert. If you are not concerned about these alerts or you find a large number of false positives, you can disable alerts generated by the Snort decoder. By default, all such alerts are enabled. To disable a particular type of alert, remove the comment character (#) at the beginning of the line. The Snort decoder configuration options are:
# config disable_decode_alerts # config disable_tcpopt_experimental_alerts # config disable_tcpopt_obsolete_alerts # config disable_tcpopt_ttcp_alerts # config disable_tcpopt_alerts # config disable_ipopt_alerts
By default, the Snort decoder alerts on the use of some of the uncommon TCP option settings. Since it is rare to see them in a normal network conversation, it is assumed that their presence indicates nefarious activity. This may not be the case. The negative logic is a little weird, but if you want to disable the alerts generated by the decoder when it comes across one of these TCP options, remove the "#" character from the beginning of appropriate line.
The option that may not seem familiar is the
disable_tcpopt_ttcp_alerts option. If you use T/TCP in your environment (a hybrid transaction protocol between TCP and UDP in function and used to facilitate web transactions—see ...