Snort mailing list archives
RE: spp_stream4: EVASIVE RST detection
From: "Bill Gercken" <bgercken () providentanalysis com>
Date: Fri, 13 Jul 2001 12:25:09 -0400
From the snort.conf:
# stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8MB) # options (options are comma delimited): # keepstats [machine] - keep session statistics, add "machine" to get them in # a flat format for machine reading # noinspect - turn off stateful inspection only # noalerts - turn off alerts from the stateful inspector # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes preprocessor stream4 noalerts ^^^^^^^^--- This should do the trick. -bill -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ralf Hildebrandt Sent: Friday, July 13, 2001 7:59 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] spp_stream4: EVASIVE RST detection On Wed, Jul 11, 2001 at 09:50:32AM +0200, Ralf Hildebrandt wrote:
OK, what is "spp_stream4: EVASIVE RST detection" ? And why is it cluttering my log? Between 18:16:55 and 09:44:11 I got 136 of these alerts. What exactly triggers it?
Or is there any way to disable that particular type of alert from the stream4 preprocessor? -- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_stream4: EVASIVE RST detection Ralf Hildebrandt (Jul 11)
- Re: spp_stream4: EVASIVE RST detection Ralf Hildebrandt (Jul 13)
- RE: spp_stream4: EVASIVE RST detection Bill Gercken (Jul 13)
- <Possible follow-ups>
- RE: spp_stream4: EVASIVE RST detection Steve Halligan (Jul 13)
- Re: spp_stream4: EVASIVE RST detection Ralf Hildebrandt (Jul 13)