Snort mailing list archives
Re: Lots of "spp_stream4: TTL EVASION (reasemble) "
From: Mark Rowlands <mark.rowlands () minmail net>
Date: Sun, 28 Jul 2002 01:05:33 +0200
On Thu July 25 2002 21:20, Augustinho Catto wrote:
Dear gurus: Since I installed snort 1.87 version I received lots of alerts kind "spp_stream4: TTL EVASION (reassemble) detection ". It happened in spite of fact I´ve already set: "preprocessor stream4: disable_evasion_alerts" and "preprocessor stream4_reassemble: noalerts" in snort.conf. In this network exists a "Total Control" which receive dial-up connections. How could avoid this false alerts? TIA, Catto
try preprocessor stream4: detect_scans,disable_evasion,noalerts and run it in cmdline mode first and check the Stream4 config output. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Lots of "spp_stream4: TTL EVASION (reasemble) " Augustinho Catto (Jul 25)
- Re: Lots of "spp_stream4: TTL EVASION (reasemble) " Mark Rowlands (Jul 27)
- <Possible follow-ups>
- RE: Lots of "spp_stream4: TTL EVASION (reasemble) " Cloppert, Michael (Jul 31)