2.3RC1 increased spp_stream4: Stealth Activity Detected alerts

[sekure <sekure () gmail com>]

Has anyone noticed an increase of spp_stream4 alerts of Stealh
Activity with the new RC version?

The actual message is:
12/01-15:40:43.525043  [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY
(unknown) detection [**] {TCP} a.a.a.a:1187 -> b.b.b.b:8080
12/01-15:40:45.715698  [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY
(unknown) detection [**] {TCP} a.a.a.a:1189 -> b.b.b.b:8080

And the packets have both the Ack and Rst flags set, which isn't
really abnormal as far as I understand.

I can supply the pcap if necessary, it's happening often enough. :)


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users