Snort mailing list archives
RE: spp_stream4 Stealth Activity detect
From: "Esler, Joel Contractor" <EslerJ () RCERT-S ARMY MIL>
Date: Tue, 17 Jun 2003 16:29:26 -0400
You may consider taking the "detect_state_problems" out of the stream4 preprocessor load. This may help to reduce this false positive. Joel -----Original Message----- From: John Hally [mailto:JHally () epnet com] Sent: Tuesday, June 17, 2003 4:05 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] spp_stream4 Stealth Activity detect Hello All, I'm constantly getting alerts (40-100 per day) from the stream4 preprocessor for stealth activity. When I look at the packet trace, it looks benign (web traffic), except for the Ack/Push/Reset flags being set. My understanding of the Stealth alert is that there's no matching state info in the state tables that snort keeps. Is it possible that the state tables are 'flushing' too soon, or I just don't have enough memory for the type of traffic I'm monitoring? Am I way off? Thanks in Advance, John H. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_stream4 Stealth Activity detect John Hally (Jun 17)
- <Possible follow-ups>
- RE: spp_stream4 Stealth Activity detect Esler, Joel Contractor (Jun 17)