The Snort decoder watches the structure of network packets to make sure they are constructed according to specification. If a packet has a strange size, strangely set options, or uncommon settings, Snort will generate an alert. If you are not concerned about these alerts or you find a large number of false positives, you can disable alerts generated by the Snort decoder. By default, all such alerts are enabled. To disable a particular type of alert, remove the comment character (#) at the beginning of the line. The Snort decoder configuration options are:
By default, the Snort decoder alerts on the use of some of the uncommon TCP option settings. Since it is rare to see them in a normal network conversation, it is assumed that their presence indicates nefarious activity. This may not be the case. The negative logic is a little weird, but if you want to disable the alerts generated by the decoder when it comes across one of these TCP options, remove the "#" character from the beginning of appropriate line.
Please note that you can also insert many of the Snort command-line options in this portion of the snort.conf file, too. Table 5-1 shows some of these options.
Table 5-1. snort.conf configure options
Option | Description |
---|
config order: [pass, alert, log, activation, or dynamic] | Change the order that rules are evaluated. |
config alertfile: alerts | Set the alerts output file. |
config decode_arp | Turn on arp decoding (snort -a). |
config dump_chars_only | Turn on character dumps (snort -C). |
config dump_payload | Dump application layer information(snort -d). |
config decode_data_link | Decode Layer2 headers (snort -e). |
config bpf_file: filters.bpf | Specify BPF filters (snort -F). |
config set_gid: 30 | Change to GID to specified GID (snort -g). |
config daemon | Run Snort in daemon mode (snort -D). |
config interface: <interface name> | Set the network interface (snort -i). |
config alert_with_interface_name | Append interface name to alert (snort -I). |
config logdir: /var/log/snort | Set the logging directory (snort -l). |
config umask: <umask> | Set umask when running (snort -m). |
config pkt_count: N | Exit after N packets (snort -n). |
config nolog | Disable logging. Note: alerts still occur (snort -N). |
config obfuscate | Obfuscate IP addresses (snort -O). |
config no_promisc | Disable promiscuous mode (snort -p). |
config quiet | Disable banner and status reports (snort -q). |
config chroot: /home/snort | Chroot to specified directory (snort -t). |
config checksum_mode : all | Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, or all. |
config set_uid: <id> | Set UID to <id> (snort -u). |
config utc | Use UTC instead of local time for timestamps (snort -U). |
config verbose | Use Verbose logging to stdout (snort -v.) |
config dump_payload_verbose | Dump raw packet starting at link layer (snort -X ). |
config show_year | Show year in timestamps (snort -y). |