Snort mailing list archives
2.3RC1 increased spp_stream4: Stealth Activity Detected alerts
From: sekure <sekure () gmail com>
Date: Wed, 1 Dec 2004 15:51:44 -0500
Has anyone noticed an increase of spp_stream4 alerts of Stealh Activity with the new RC version? The actual message is: 12/01-15:40:43.525043 [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**] {TCP} a.a.a.a:1187 -> b.b.b.b:8080 12/01-15:40:45.715698 [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**] {TCP} a.a.a.a:1189 -> b.b.b.b:8080 And the packets have both the Ack and Rst flags set, which isn't really abnormal as far as I understand. I can supply the pcap if necessary, it's happening often enough. :) ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.3RC1 increased spp_stream4: Stealth Activity Detected alerts sekure (Dec 01)