Snort mailing list archives

Re: Lots of "spp_stream4: TTL EVASION (reasemble) "

From: Mark Rowlands <mark.rowlands () minmail net>
Date: Sun, 28 Jul 2002 01:05:33 +0200

On Thu July 25 2002 21:20, Augustinho Catto wrote:

Dear gurus:
Since I installed snort 1.87 version I received lots of alerts kind
"spp_stream4: TTL EVASION (reassemble) detection ".
It happened in spite of fact I´ve already set:
"preprocessor stream4: disable_evasion_alerts" and
"preprocessor stream4_reassemble: noalerts" in snort.conf.
In this network exists a "Total Control" which receive dial-up
connections.
How could avoid this false alerts?
TIA,
Catto


try 

preprocessor stream4: detect_scans,disable_evasion,noalerts

and run it in cmdline mode first and check the Stream4 config output.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Lots of "spp_stream4: TTL EVASION (reasemble) " Augustinho Catto (Jul 25)
- Re: Lots of "spp_stream4: TTL EVASION (reasemble) " Mark Rowlands (Jul 27)
- <Possible follow-ups>
- RE: Lots of "spp_stream4: TTL EVASION (reasemble) " Cloppert, Michael (Jul 31)