Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spp_stream4

From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 09 Jul 2002 14:36:00 -0700
Yeah, Snort detects the packet being sent to the web proxy has a
different checksum than the one being sent from the web proxy. 
Fragrouted traffic from a single source can look like this.  Snort's
saying "Ah ha! you have already sent this packet, and the one your are
sending again is different!"  You can look into the fragroute docs for
information on why this is fun.

So to turn this off you can add the "disable_evasion_alerts" argument to
the stream4 preprocessor.

preprocessor stream4: detect_scans, disable_evasion_alerts

Hope this helps,

-Joe M.

-- 
Joe McAlerney
Silicon Defense: IDS Solutions

Jason Gauthier wrote:


I have started snort up, and am fine tuning my rules. I'm getting this
message ALOT.
It comes from the same system everytime.  My transparent web proxy.

I'm not really understanding what's going on. I'm guessing that this is the
stream4 preprocessor and the message is coming up because it's transparently
sending it to another box.

My question then, since this is a "false positive", is what can I do about
ignoring it?

Thanks kindly,

Jason

======================
Message:
spp_stream4: TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute)
detection

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Stuff, things, and much much more.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: