5.2 Snort Decoder and Detection Engine Configuration

The Snort decoder watches the structure of network packets to make sure they are constructed according to specification. If a packet has a strange size, strangely set options, or uncommon settings, Snort will generate an alert. If you are not concerned about these alerts or you find a large number of false positives, you can disable alerts generated by the Snort decoder. By default, all such alerts are enabled. To disable a particular type of alert, remove the comment character (#) at the beginning of the line. The Snort decoder configuration options are:

# config disable_decode_alerts

# config disable_tcpopt_experimental_alerts

# config disable_tcpopt_obsolete_alerts

# config disable_tcpopt_ttcp_alerts

# config disable_tcpopt_alerts

# config disable_ipopt_alerts

By default, the Snort decoder alerts on the use of some of the uncommon TCP option settings. Since it is rare to see them in a normal network conversation, it is assumed that their presence indicates nefarious activity. This may not be the case. The negative logic is a little weird, but if you want to disable the alerts generated by the decoder when it comes across one of these TCP options, remove the "#" character from the beginning of appropriate line.

The option that may not seem familiar is the disable_tcpopt_ttcp_alerts option. If you use T/TCP in your environment (a hybrid transaction protocol between TCP and UDP in function and used to facilitate web transactions—see RFC 1644 for details), you will want to disable alerts when Snort sees these options being used.

Please note that you can also insert many of the Snort command-line options in this portion of the snort.conf file, too. Table 5-1 shows some of these options.

Table 5-1. snort.conf configure options

Option	Description
config order: [pass, alert, log, activation, or dynamic]	Change the order that rules are evaluated.
config alertfile: alerts	Set the alerts output file.
config decode_arp	Turn on arp decoding (snort -a).
config dump_chars_only	Turn on character dumps (snort -C).
config dump_payload	Dump application layer information(snort -d).
config decode_data_link	Decode Layer2 headers (snort -e).
config bpf_file: filters.bpf	Specify BPF filters (snort -F).
config set_gid: 30	Change to GID to specified GID (snort -g).
config daemon	Run Snort in daemon mode (snort -D).
config interface: <interface name>	Set the network interface (snort -i).
config alert_with_interface_name	Append interface name to alert (snort -I).
config logdir: /var/log/snort	Set the logging directory (snort -l).
config umask: <umask>	Set umask when running (snort -m).
config pkt_count: N	Exit after N packets (snort -n).
config nolog	Disable logging. Note: alerts still occur (snort -N).
config obfuscate	Obfuscate IP addresses (snort -O).
config no_promisc	Disable promiscuous mode (snort -p).
config quiet	Disable banner and status reports (snort -q).
config chroot: /home/snort	Chroot to specified directory (snort -t).
config checksum_mode : all	Types of packets to calculate checksums. Values: none, noip, notcp, noicmp, noudp, or all.
config set_uid: <id>	Set UID to <id> (snort -u).
config utc	Use UTC instead of local time for timestamps (snort -U).
config verbose	Use Verbose logging to stdout (snort -v.)
config dump_payload_verbose	Dump raw packet starting at link layer (snort -X ).
config show_year	Show year in timestamps (snort -y).