Re: spp_stream4 preprocessor problem

[Martin Roesch <roesch () sourcefire com>]

If you update to the 1.8.1-beta5 code, Snort has been changed so that
you have to explicitly turn on TCP state violation alerts.  It turns out
that not all IP stacks are created equal and they quite frequently do
things that are considered "bad".

Beta5 is available at
http://www.snort.org/files/snort-1.8.1-beta5.tar.gz

   -Marty

tdangler () linuxisland com wrote:
> Hello all,
>
> Just got a quick question here.  First some info.  I'm running snort-1.8
> and it is started with:
>
> snort -u snort -g snort -d -D -z est -i eth0 -c snort.conf
>
> There is a web server running on this machine.  In my messages file I get
> several of the below listed spp_stream4 messages. Is this normal, or is
> there a way to not log these messages?  Any help would be much
> appreciated.
>
> TD
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jul 25 18:02:19 mail snort: spp_stream4: Possible RETRANSMISSION detection:
> 64.111.152.169:61206 -> xxx.xxx.xxx.xxx:80
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users