Decoding is one of the important and initial step that snort perform. The decoder determine the underlying protocol in packet and process the header information. It also look for error and anomalies in fields of error. The determination of error and corresponding alert will depend on configuration of snort.conf. To activate or deactivate decoder alert we can use config statement. For example
To enable alert on IP field error, we can mention following line in snort.conf
Similarly to disable alert on TCP field error , we can mention following line in snort.conf
The alert generated by snort decoder have can be found in log file with generator id 116. For example if you are storing snort log in log files. You may found following log entries
root# tail /var/log/snort/alert
[**] 116:5:1 (snort decoder) WARNING : Truncated IPV4 options …….
Here 116 is generator id , that means its snort decoder generated message. 5 is Signature id(SID) used here for Truncated Ipv4 option…