>Decoder in Snort

By | November 10, 2010


Decoding is one of the important and initial step that snort perform. The decoder determine the underlying protocol in packet and process the header information. It also look for error and anomalies in fields of error. The determination of error and corresponding alert will depend on configuration of snort.conf. To activate or deactivate decoder alert we can use config statement. For example
To enable alert on IP field error, we can mention following line in snort.conf
config enable_ipopt_drops
Similarly to disable alert on TCP field error , we can mention following line in snort.conf
config disable_tcpopt_alerts

The alert generated by snort decoder have can be found in log file with generator id 116. For example if you are storing snort log in log files. You may found following log entries
root# tail /var/log/snort/alert
[**] 116:5:1 (snort decoder) WARNING : Truncated IPV4 options …….
Here 116 is generator id , that means its snort decoder generated message. 5 is Signature id(SID) used here for Truncated Ipv4 option…
Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *