Snort mailing list archives
RES: spp_stream4: EVASIVE RST detection
From: Marcus Vinícius de Melo Rocha <marcus () limiar com br>
Date: Sat, 14 Jul 2001 10:16:59 -0300
preprocessor stream4 noalerts ^^^^^^^^--- This should do the trick. -billThat will kill all stream4 related alerts...I wish there were a way to selectively choose which alerts to show and which to toss. Or am I totally off base and the alerts we are discussing would be the only alerts you would see from the stream4 pp? -Steve
Hi, I was reading the source code for stream4 preprocessor, and I found the following alerts: - "spp_stream4: DATA ON SYN detection" - "spp_stream4: NMAP FINGERPRINT (stateful)" - "spp_stream4: EVASIVE RST detection" - "spp_stream4: Possible RETRANSMISSION" - "spp_stream4: WINDOW VIOLATION detection" - "spp_stream4: STEALTH ACTIVITY (unknown) detection" - "spp_stream4: STEALTH ACTIVITY (Vecna scan) detection" - "spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection" - "spp_stream4: STEALTH ACTIVITY (NULL scan) detection" - "spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection" - "spp_stream4: STEALTH ACTIVITY (FIN scan) detection" - "spp_stream4: STEALTH ACTIVITY (SAPU scan) detection" - "spp_stream4: STEALTH ACTIVITY (Full XMAS scan) detection" For now, I'm getting hundreds of "spp_stream4: Possible RETRANSMISSION", some "spp_stream4: WINDOW VIOLATION detection", and some "spp_stream4: EVASIVE RST detection". I'm studing the logs to find out if it's just false positive. Hope it helps. Marcus _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RES: spp_stream4: EVASIVE RST detection Marcus Vinícius de Melo Rocha (Jul 14)