Snort mailing list archives
RES: spp_stream4: EVASIVE RST detection
From: Marcus Vinícius de Melo Rocha <marcus () limiar com br>
Date: Sat, 14 Jul 2001 10:16:59 -0300
preprocessor stream4 noalerts ^^^^^^^^--- This should do the trick. -billThat will kill all stream4 related alerts...I wish there were a way to selectively choose which alerts to show and which to toss. Or am I totally off base and the alerts we are discussing would be the only alerts you would see from the stream4 pp? -Steve
Hi,
I was reading the source code for stream4 preprocessor, and I found the
following alerts:
- "spp_stream4: DATA ON SYN detection"
- "spp_stream4: NMAP FINGERPRINT (stateful)"
- "spp_stream4: EVASIVE RST detection"
- "spp_stream4: Possible RETRANSMISSION"
- "spp_stream4: WINDOW VIOLATION detection"
- "spp_stream4: STEALTH ACTIVITY (unknown) detection"
- "spp_stream4: STEALTH ACTIVITY (Vecna scan) detection"
- "spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection"
- "spp_stream4: STEALTH ACTIVITY (NULL scan) detection"
- "spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection"
- "spp_stream4: STEALTH ACTIVITY (FIN scan) detection"
- "spp_stream4: STEALTH ACTIVITY (SAPU scan) detection"
- "spp_stream4: STEALTH ACTIVITY (Full XMAS scan) detection"
For now, I'm getting hundreds of "spp_stream4: Possible RETRANSMISSION",
some "spp_stream4: WINDOW VIOLATION detection", and some "spp_stream4:
EVASIVE RST detection". I'm studing the logs to find out if it's just false
positive.
Hope it helps.
Marcus
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RES: spp_stream4: EVASIVE RST detection Marcus Vinícius de Melo Rocha (Jul 14)