Snort mailing list archives

Re: spp_stream4: TTL EVASION (reassemble) detection

From: "Pedro Tedeschi" <pedro.tedeschi () frb-par com>
Date: Fri, 20 Sep 2002 11:54:32 -0300

McCammon, thanks for you reply

My comments in snort.conf are these:

preprocessor stream4: detect_scans, disable_evasion_alerts, noalerts
The "disable_evasion_alerts" are there in snort.conf, but i'm still recieve evasion alerts.
I'm really need help, because my database are working full for this alerts.


Regards,



----- Original Message ----- 
  From: McCammon, Keith 
  To: Pedro Tedeschi ; snort-users () lists sourceforge net 
  Sent: Friday, September 20, 2002 11:45 AM
  Subject: RE: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection


  Read your comments in snort.conf: 

  disable_evasion_alerts - turn off the possibly noisy mitigation of overlapping sequences.

  You can uncomment this in the stream4 options.
    -----Original Message-----
    From: Pedro Tedeschi [mailto:pedro.tedeschi () frb-par com]
    Sent: Friday, September 20, 2002 10:32 AM
    To: snort-users () lists sourceforge net
    Subject: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection


    Hi, whats means this rule? 
    "spp_stream4: TTL EVASION (reassemble) detection"

    I didn't find  this one in the rules path, and i'm recieve more than 56000 attacks about this rule ...

    Is this rule are important? If not, i would like to know, how i can remove this rule ...


    Thanks in advance


    Cheers,

    Pedro Tedeschi

Current thread:

RE: spp_stream4: TTL EVASION (reassemble) detection McCammon, Keith (Sep 20)
- Re: spp_stream4: TTL EVASION (reassemble) detection Pedro Tedeschi (Sep 20)
- <Possible follow-ups>
- re: spp_stream4: TTL EVASION (reassemble) detection Kevin Peuhkurinen (Sep 20)