Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: {SPAM} spp_stream4: TTL EVASION (reassemble) detection?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 15 Jul 2002 15:57:53 -0400
Chris green answered a similar question recently. His advice was:
------------
Add ttl_limit 0


At 02:55 PM 7/15/2002 -0400, bthaler () webstream net wrote:

.  I just upgraded my 1.8.6 to 1.8.7, and now I'm getting tons of
"spp_stream4: TTL EVASION (reassemble) detection "

My snort.conf has:
preprocessor stream4: detect_scans, disable_evasion_alerts
I assumed that this setting would eliminate these alerts, but it doesn't appear to be working. The signature does say "reassemble", 
but I don't see any similar option for stre




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: