Snort mailing list archives

RE: spp_stream4: TTL EVASION (reassemble) detection

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Fri, 20 Sep 2002 10:45:39 -0400

Read your comments in snort.conf: 

disable_evasion_alerts - turn off the possibly noisy mitigation of overlapping sequences.

You can uncomment this in the stream4 options.

-----Original Message-----
From: Pedro Tedeschi [mailto:pedro.tedeschi () frb-par com]
Sent: Friday, September 20, 2002 10:32 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection

Hi, whats means this rule? 
"spp_stream4: TTL EVASION (reassemble) detection"

I didn't find  this one in the rules path, and i'm recieve more than 56000 attacks about this rule ...

Is this rule are important? If not, i would like to know, how i can remove this rule ...

Thanks in advance

Cheers,

Pedro Tedeschi

Current thread:

RE: spp_stream4: TTL EVASION (reassemble) detection McCammon, Keith (Sep 20)
- Re: spp_stream4: TTL EVASION (reassemble) detection Pedro Tedeschi (Sep 20)
- <Possible follow-ups>
- re: spp_stream4: TTL EVASION (reassemble) detection Kevin Peuhkurinen (Sep 20)