Snort mailing list archives
Re: What is this alert??
From: Richard Bejtlich <taosecurity () gmail com>
Date: Mon, 21 Mar 2005 09:18:27 -0500
Marc Hering wrote:
Hey All, I keep getting this same alert over and over and over (About 5k times already since Thursday) (spp_stream4) possible EVASIVE RST detection I can't seem to find any usefull info on it aside from that it is detecting a lot of RST requests...Is this a common alert that needs to be tweaked or am I looking at something more sinister?
Hello Marc, I recommend collecting some sample full content data using Tcpdump. If you're seeing tons of those alerts you'll be sure to capture something involving the IPs generating them. This is a good example of the importance of independently collecting full content data (libpcap packet info) to complement alert data (IDS triggers). You might also gain some insight by collecting session data with Argus or SANCP. Since you're ready to find out more about specific events, you should probably just jump straight to collecting sample full content data. Start collecting session data now for future events which require additional investigation. Sincerely, Richard http://www.taosecurity.com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is this alert?? Marc Hering (Mar 21)
- Re: What is this alert?? Wes Young (Mar 21)
- <Possible follow-ups>
- Re: What is this alert?? Richard Bejtlich (Mar 21)