O'Reilly logo

Managing Security with Snort & IDS Tools by Christopher Gerg, Kerry J. Cox

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Snort Decoder and Detection Engine Configuration

The Snort decoder watches the structure of network packets to make sure they are constructed according to specification. If a packet has a strange size, strangely set options, or uncommon settings, Snort will generate an alert. If you are not concerned about these alerts or you find a large number of false positives, you can disable alerts generated by the Snort decoder. By default, all such alerts are enabled. To disable a particular type of alert, remove the comment character (#) at the beginning of the line. The Snort decoder configuration options are:

# config disable_decode_alerts
# config disable_tcpopt_experimental_alerts
# config disable_tcpopt_obsolete_alerts
# config disable_tcpopt_ttcp_alerts
# config disable_tcpopt_alerts
# config disable_ipopt_alerts

By default, the Snort decoder alerts on the use of some of the uncommon TCP option settings. Since it is rare to see them in a normal network conversation, it is assumed that their presence indicates nefarious activity. This may not be the case. The negative logic is a little weird, but if you want to disable the alerts generated by the decoder when it comes across one of these TCP options, remove the "#" character from the beginning of appropriate line.

The option that may not seem familiar is the disable_tcpopt_ttcp_alerts option. If you use T/TCP in your environment (a hybrid transaction protocol between TCP and UDP in function and used to facilitate web transactions—see ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required