Snort mailing list archives
Re: Possible Retrans & Evasive RST's
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 27 Aug 2001 06:53:16 -0700 (PDT)
On Sun, 26 Aug 2001, Sheahan, Paul (PCLN-NW) wrote:
I just upgraded to Snort 1.8 RELEASE version and am seeing a ton of "Possible Restransmission detection" and "Evasive RST detection" alerts coming from one node on our internal network going to many external hosts on the Internet.
Go to 1,8,1-RELEASE build 74.
My questions: 1. What do these alerts mean? I can't seem to find any detailed info on them. I know they come from the stream processor but thats about all I know. I see this from many other interal nodes as well.
http://snort.sourcefirel.com/docs/FAQ.html#3.14
2. I see many messages in the SNort mailing list that mention changing the params on the preprocessor to avoid these types of messages. Why have this preprocessor if everyone is going to bypass it?
To let you know you have a badly broken TCP/IP stack on your network. :) Seriously, with all the bells and whistles tunred on stream4 is a noisy lil' bugger. Especially if any server or client is a M$ based TCP/IP stack. Stream4 does lots of other neat things: Stateful inspection and large scale stream reassembly (256+ streams). Go to that link and read on what else it can do. It's a bit of a read, but well worth your time. Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Possible Retrans & Evasive RST's Sheahan, Paul (PCLN-NW) (Aug 26)
- Re: Possible Retrans & Evasive RST's Erek Adams (Aug 27)