Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: spp_stream4: EVASIVE RST detection

From: "Bill Gercken" <bgercken () providentanalysis com>
Date: Fri, 13 Jul 2001 12:25:09 -0400


From the snort.conf:



# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat
# stick/snot against TCP rules.  Also performs full TCP stream
# reassembly, stateful inspection of TCP streams, etc.  Can statefully
# detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8MB)
# options (options are comma delimited):
#   keepstats [machine] - keep session statistics, add "machine" to get them
in
#                         a flat format for machine reading
#   noinspect - turn off stateful inspection only
#   noalerts - turn off alerts from the stateful inspector
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes

preprocessor stream4 noalerts
                     ^^^^^^^^--- This should do the trick.

-bill


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ralf
Hildebrandt
Sent: Friday, July 13, 2001 7:59 AM
To: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] spp_stream4: EVASIVE RST detection


On Wed, Jul 11, 2001 at 09:50:32AM +0200, Ralf Hildebrandt wrote:

OK, what is "spp_stream4: EVASIVE RST detection" ? And why is it
cluttering my log?

Between 18:16:55 and 09:44:11 I got 136 of these alerts. What exactly
triggers it?


Or is there any way to disable that particular type of alert from the
stream4 preprocessor?

--
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: