Snort mailing list archives
RE: How do I stop all alerts generated by 'ssp_stre am4'? (snort 1.9.0 )
From: Bryce Stenberg <bryce () hrnz co nz>
Date: Tue, 22 Oct 2002 16:51:29 +1300
Hi Chad, Thanks for that info. I don't know how I missed the 'disable_evasion_alerts' when upgrading, and I never did (and still don't) know what the ttl_limit was about. But used them and all running well now. Thanks. Bryce Stenberg.
-----Original Message----- From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl () umb com] Sent: Tuesday, 22 October 2002 3:52 a.m. To: Bryce Stenberg; snort-users () lists sourceforge net Subject: RE: [Snort-users] How do I stop all alerts generated by 'ssp_stream4'? (snort 1.9.0 ) These two options to stream4 should solve both of those: disable_evasion_alerts, ttl_limit 0 -----Original Message----- From: Bryce Stenberg [mailto:bryce () hrnz co nz] Sent: Sunday, October 20, 2002 4:23 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] How do I stop all alerts generated by 'ssp_stream4'? (snort 1.9.0 ) Hi All, I have a problem with my logs filling with unwanted alerts from 'spp_stream4'. I'm using Snort 1.9.0 on Windows NT4 sp6 servers. I do want packets reassembled but I don't want any alerts. My 'snort.conf' settings relating to stream4 are: # stream4: stateful inspection/stream reassembly for Snort: preprocessor stream4: noinspect # tcp stream reassembly directive: preprocessor stream4_reassemble: both, ports all, noalerts My logs are filling with the likes of: [**] [111:18:1] (spp_stream4) Multiple Acked Packets (possible fragroute) [**] 10/21-10:08:41.883332 192.168.0.7:1257 -> 192.168.0.240:6400 TCP TTL:128 TOS:0x0 ID:17792 IpLen:20 DgmLen:73 DF ***AP*** Seq: 0x9D744AC5 Ack: 0x610FCA Win: 0x2054 TcpLen: 20 OR: [**] [111:16:1] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute) detection [**] 10/21-10:01:11.151709 192.168.0.6:139 -> 192.168.0.23:2898 TCP TTL:128 TOS:0x0 ID:45791 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xC4F73351 Ack: 0x1FAC281A Win: 0x2238 TcpLen: 20 Does anyone know what I'm doing wrong here or what I'm missing please? (I am assuming the above log entries do tie in to the stream4 settings in snort.conf). I run no rules files except one - local.rules which is only looking for specific outgoing text. Thanks, Bryce Stenberg. Harness Racing New Zealand computer department, emailto:bryce () hrnz co nz
CAUTION: This email message and accompanying data may contain information that is confidential and subject to legal privilege. If you are not the intended recipient you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error please notify us immediately and erase all copies of the message and attachments. ALSO, unless expressly stated otherwise, the contents of this message represent only the views of the sender as expressed only to the intended recipient, do not commit Harness Racing New Zealand (HRNZ) to any course of action and are not intended to impose any legal obligation upon HRNZ. ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576298;k?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: How do I stop all alerts generated by 'ssp_stre am4'? (snort 1.9.0 ) Bryce Stenberg (Oct 21)
- Re: How do I stop all alerts generated by 'ssp_stream4'? (snort 1.9.0 ) Alberto Gonzalez (Oct 21)