Snort mailing list archives

RE: spp_stream4 Stealth Activity detect

From: "Esler, Joel Contractor" <EslerJ () RCERT-S ARMY MIL>
Date: Tue, 17 Jun 2003 16:29:26 -0400

You may consider taking the "detect_state_problems" out of the stream4
preprocessor load.  This may help to reduce this false positive.

Joel

-----Original Message-----
From: John Hally [mailto:JHally () epnet com] 
Sent: Tuesday, June 17, 2003 4:05 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] spp_stream4 Stealth Activity detect

Hello All,

I'm constantly getting alerts (40-100 per day) from the stream4 preprocessor
for stealth activity.  When I look at the packet trace, it looks benign (web
traffic), except for the Ack/Push/Reset flags being set.  My understanding
of the Stealth alert is that there's no matching state info in the state
tables that snort keeps.  Is it possible that the state tables are
'flushing' too soon, or I just don't have enough memory for the type of
traffic I'm monitoring?  Am I way off?

Thanks in Advance,

John H.

-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_stream4 Stealth Activity detect John Hally (Jun 17)
- <Possible follow-ups>
- RE: spp_stream4 Stealth Activity detect Esler, Joel Contractor (Jun 17)