Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 24 November 2024, 03:19:34 am

Login with username, password and session length

Download the latest community FREE version  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  More Settings for Snort
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: More Settings for Snort  (Read 13188 times)
theOtherDave
Jr. Member
*
Offline Offline

Posts: 2


« on: Friday 14 August 2015, 12:28:57 am »

Hello all,

Previous Untangle user recently come over to Endian.  I have a question - I am trying out endian in three different spots on my network - total 25 or 30 devices (family of 5, computers, laptops, cel phones, smart TVs, Apple TVs, , Game consoles, etc etc.) 

I am trying out the IPS section (I've run snort in a business context before) and while it's quite nice, mostly what I get out of it is an endless spew of "experimental tcp options found" - and I have to wade through an ocean of experimental tcp options to find anything else that really matters.

So, two options to either disable this or work around it:

1. can I disable the check that causes this ridiculous flood of junk?  or,
2. Is there any way to configure the logging to only log IPS items that are worse than severity level 3? 

Option 1 is preferred of course, but option 2 would at least help me get endian to shut up so I can see if there are any "real" problems.

Please let me know.
Logged
theOtherDave
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Friday 14 August 2015, 12:39:59 am »

A little search  found me this note:

seclists.org/snort/2008/q3/20

Which states I can work past the problem by adding the following to snort.conf:

config disable_tcpopt_alerts

But, sadly, if I do this, and then reboot, endian removes this line from snort.conf - even though I put it above the "Do not edit past this line" warning.
 
Logged
boergnet
Full Member
***
Offline Offline

Posts: 16


« Reply #2 on: Saturday 15 August 2015, 02:49:14 am »

Do not edit the '/etc/snort/snort.conf' directly as  EFW creates this file from the template every time the proxy is started so your changes will be overwritten.
Edit /etc/snort/snort.conf.tmpl
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com