RE: stream4 issues: possible EVASIVE RST detection

["Daniel Miessler" <danielrm26 () hotmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> We are getting inundated by "spp:possible EVASIVE RST detection" alerts.
>
> I have tracked these down to about 20 NT 4 servers where apparently the
> TCP/IP stacks are jacked.

I had the same problem and am using Demarc as well.   I haven't tried upgrading to 1.9 yet to see if that was the 
problem, but you can make that specific preprocessor be quiet while you look into the issue.  Use the no_alerts option, 
or whatever it is, and that will quiet it down.

- --danielrm26

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 (Build 294) Beta

iQEVAwUBPaxNX/Lu0CaZEvl2AQKTJQf+O7NmDNmA1oQJbAJuN3QkT0x3kMmyJoMp
3Ag0nW/+Xf5uVOyEpO1yDAXv0esve717BeK26QHd8A/ZQNrO6/Nmma1C8H69YKYO
yf6w++Gbpfzsv+1Ro6+b9Pl4HMUFLTI9m52fwor5G945sypziBxrqcGtBiiNQOxM
1LoNDAJWWcpbGdvjmNFM8QsDKdEJCHDBlC1i6r3qgHiHqekjpNCa4ZZES/9BM4jn
sfUjPmMHsllEsxk82NBORZQn9SEabrw4j/na1lEVJFTVsBPzRD5DdBn0n+IYVLJo
sekGq26I10g2hEu0162AE5b2sOpcMTCuXN8EDaUldr4ZS3GPytYWNQ==
=5i7V
-----END PGP SIGNATURE-----


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users