Snort mailing list archives
RE: lots of ttl evasion attempt alerts snort 1.8.7
From: "Schroeder, Eric" <Eric.Schroeder () westgroup com>
Date: Fri, 12 Jul 2002 14:51:36 -0500
Excuse me for not having this entire thread, I just got on this list today. It's good to know how to disable the alerts, but I've been trying to figure out what it means, and what causes false alerts. Here are my stream4 options from snort.conf: preprocessor stream4: detect_scans memcap 100MB preprocessor stream4_reassemble: both, ports all Would someone fill me in on what these really are, and where the various spp_stream alerts are documented? Also, has anyone used snort in conjunction with Shadow? I currently have one Shadow sensor, and one management server with Snort/ACID/MySQL which processes the log files after they are transferred to it. I was running Snort and Shadow on the same sensor, but that seemed to cause stability problems. But I'm wondering what everyone else thinks of this setup. -Eric -----Original Message----- From: Michael Scheidell [mailto:scheidell () secnap net] Sent: Friday, July 12, 2002 12:25 PM To: snort-users () lists sourceforge net Cc: Michael Scheidell Subject: Re: [Snort-users] lots of ttl evasion attempt alerts snort 1.8.7
Add ttl_limit 0
Thanks for quick reply! Always a pleasure.. now, does ANYONE know the answer to the bpf problem on FBSD? -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Positions available see http://www.secnap.net/employment/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- lots of ttl evasion attempt alerts snort 1.8.7 Michael Scheidell (Jul 11)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Chris Green (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Michael Scheidell (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 David E. Gianndrea (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Erek Adams (Jul 12)
- <Possible follow-ups>
- RE: lots of ttl evasion attempt alerts snort 1.8.7 Schroeder, Eric (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Chris Green (Jul 12)