Re: Possible Retrans & Evasive RST's

[Erek Adams <erek () theadamsfamily net>]

On Sun, 26 Aug 2001, Sheahan, Paul (PCLN-NW) wrote:

> I just upgraded to Snort 1.8 RELEASE version and am seeing a ton of
> "Possible Restransmission detection" and "Evasive RST detection" alerts
> coming from one node on our internal network going to many external hosts on
> the Internet.

Go to 1,8,1-RELEASE build 74.

> My questions:
>
> 1. What do these alerts mean? I can't seem to find any detailed info on
> them. I know they come from the stream processor but thats about all I know.
> I see this from many other interal nodes as well.

http://snort.sourcefirel.com/docs/FAQ.html#3.14

> 2. I see many messages in the SNort mailing list that mention changing the
> params on the preprocessor to avoid these types of messages. Why have this
> preprocessor if everyone is going to bypass it?

To let you know you have a badly broken TCP/IP stack on your network.  :)
Seriously, with all the bells and whistles tunred on stream4 is a noisy lil'
bugger.  Especially if any server or client is a M$ based TCP/IP stack.
Stream4 does lots of other neat things:  Stateful inspection and large scale
stream reassembly (256+ streams).  Go to that link and read on what else it
can do.  It's a bit of a read, but well worth your time.

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users