Snort mailing list archives
RE: stream4 issues: possible EVASIVE RST detection
From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Tue, 15 Oct 2002 13:35:49 -0400
i am also using demarc, this isnt something specific to demarc, its the new code in the stream4 preprocessor that was introduced, the chatter should be reduced if you disable the evasion alerts, here is how mine looks: --start snip snort.conf-- preprocessor stream4: detect_scans,disable_evasion_alerts,ttl_limit 0 --end snip snort.conf-- hope this helps
-----Original Message----- From: Daniel Miessler [mailto:danielrm26 () hotmail com] Sent: Tuesday, October 15, 2002 1:16 PM To: 'Ben Keepper'; snort-users () lists sourceforge net Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST detection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1We are getting inundated by "spp:possible EVASIVE RSTdetection" alerts.I have tracked these down to about 20 NT 4 servers whereapparently theTCP/IP stacks are jacked.I had the same problem and am using Demarc as well. I haven't tried upgrading to 1.9 yet to see if that was the problem, but you can make that specific preprocessor be quiet while you look into the issue. Use the no_alerts option, or whatever it is, and that will quiet it down. - --danielrm26 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 (Build 294) Beta iQEVAwUBPaxNX/Lu0CaZEvl2AQKTJQf+O7NmDNmA1oQJbAJuN3QkT0x3kMmyJoMp 3Ag0nW/+Xf5uVOyEpO1yDAXv0esve717BeK26QHd8A/ZQNrO6/Nmma1C8H69YKYO yf6w++Gbpfzsv+1Ro6+b9Pl4HMUFLTI9m52fwor5G945sypziBxrqcGtBiiNQOxM 1LoNDAJWWcpbGdvjmNFM8QsDKdEJCHDBlC1i6r3qgHiHqekjpNCa4ZZES/9BM4jn sfUjPmMHsllEsxk82NBORZQn9SEabrw4j/na1lEVJFTVsBPzRD5DdBn0n+IYVLJo sekGq26I10g2hEu0162AE5b2sOpcMTCuXN8EDaUldr4ZS3GPytYWNQ== =5i7V -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 14)
- Re: stream4 issues: possible EVASIVE RST detection Chris Reining (Oct 14)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- <Possible follow-ups>
- RE: stream4 issues: possible EVASIVE RST detection Miller, Eoin (Oct 15)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 17)