Snort mailing list archives
Re: spp_stream4: TTL EVASION (reassemble) detection
From: "Pedro Tedeschi" <pedro.tedeschi () frb-par com>
Date: Fri, 20 Sep 2002 11:54:32 -0300
McCammon, thanks for you reply My comments in snort.conf are these: preprocessor stream4: detect_scans, disable_evasion_alerts, noalerts The "disable_evasion_alerts" are there in snort.conf, but i'm still recieve evasion alerts. I'm really need help, because my database are working full for this alerts. Regards, ----- Original Message ----- From: McCammon, Keith To: Pedro Tedeschi ; snort-users () lists sourceforge net Sent: Friday, September 20, 2002 11:45 AM Subject: RE: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection Read your comments in snort.conf: disable_evasion_alerts - turn off the possibly noisy mitigation of overlapping sequences. You can uncomment this in the stream4 options. -----Original Message----- From: Pedro Tedeschi [mailto:pedro.tedeschi () frb-par com] Sent: Friday, September 20, 2002 10:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection Hi, whats means this rule? "spp_stream4: TTL EVASION (reassemble) detection" I didn't find this one in the rules path, and i'm recieve more than 56000 attacks about this rule ... Is this rule are important? If not, i would like to know, how i can remove this rule ... Thanks in advance Cheers, Pedro Tedeschi
Current thread:
- RE: spp_stream4: TTL EVASION (reassemble) detection McCammon, Keith (Sep 20)
- Re: spp_stream4: TTL EVASION (reassemble) detection Pedro Tedeschi (Sep 20)
- <Possible follow-ups>
- re: spp_stream4: TTL EVASION (reassemble) detection Kevin Peuhkurinen (Sep 20)