Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort_decoder

From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 17 Jul 2005 21:53:39 -0400
Actually, they're protocol "anomalies", which is a great illustration of the point that protocol anomaly detection is relies on people to care a whole lot about stuff that doesn't mean anything to most people... 

     -Marty


On Jul 17, 2005, at 7:26 PM, Joel Esler wrote:
No, they are decoder "errors" telling you that a packet that has "tcp options" "with bad lengths" has been found and that (maybe another packet) that the tcp options have been truncated. 

Most people I know shut these off.
You can find out to shut these off in the snort.conf or in the snort manual. 

joel


On Jul 17, 2005, at 4:17 PM, Angelita de Cássia Corrêa wrote:


Do these alerts mean false positives?

(snort_decoder): Tcp Options found with bad lengths
(snort_decoder): Truncated Tcp Options


Thanks







--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http:// www.sourcefire.com Snort: Open Source Intrusion Detection and Prevention - http:// www.snort.org 





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: