Re: What is this alert??

[Richard Bejtlich <taosecurity () gmail com>]

Marc Hering wrote:

> Hey All,
> I keep getting this same alert over and over and over (About 5k times already 
> since Thursday)
>
> (spp_stream4) possible EVASIVE RST detection   
>
> I can't seem to find any usefull info on it aside from that it is detecting a lot 
> of RST requests...Is this a common alert that needs to be tweaked or am I 
> looking at something more sinister?

Hello Marc,

I recommend collecting some sample full content data using Tcpdump. 
If you're seeing tons of those alerts you'll be sure to capture
something involving the IPs generating them.

This is a good example of the importance of independently collecting
full content data (libpcap packet info) to complement alert data (IDS
triggers).

You might also gain some insight by collecting session data with Argus
or SANCP.

Since you're ready to find out more about specific events, you should
probably just jump straight to collecting sample full content data. 
Start collecting session data now for future events which require
additional investigation.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users