|
Title: More Settings for Snort Post by: theOtherDave on Friday 14 August 2015, 12:28:57 am Hello all,
Previous Untangle user recently come over to Endian. I have a question - I am trying out endian in three different spots on my network - total 25 or 30 devices (family of 5, computers, laptops, cel phones, smart TVs, Apple TVs, , Game consoles, etc etc.) I am trying out the IPS section (I've run snort in a business context before) and while it's quite nice, mostly what I get out of it is an endless spew of "experimental tcp options found" - and I have to wade through an ocean of experimental tcp options to find anything else that really matters. So, two options to either disable this or work around it: 1. can I disable the check that causes this ridiculous flood of junk? or, 2. Is there any way to configure the logging to only log IPS items that are worse than severity level 3? Option 1 is preferred of course, but option 2 would at least help me get endian to shut up so I can see if there are any "real" problems. Please let me know. Title: Re: More Settings for Snort Post by: theOtherDave on Friday 14 August 2015, 12:39:59 am A little search found me this note:
seclists.org/snort/2008/q3/20 Which states I can work past the problem by adding the following to snort.conf: config disable_tcpopt_alerts But, sadly, if I do this, and then reboot, endian removes this line from snort.conf - even though I put it above the "Do not edit past this line" warning. Title: Re: More Settings for Snort Post by: boergnet on Saturday 15 August 2015, 02:49:14 am Do not edit the '/etc/snort/snort.conf' directly as EFW creates this file from the template every time the proxy is started so your changes will be overwritten.
Edit /etc/snort/snort.conf.tmpl |