Snort mailing list archives

Re: stream4 is alerting from my own MySQL Box???

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 8 Oct 2002 09:21:48 -0700 (PDT)

On 8 Oct 2002, Jeff Ramsey wrote:

        I keep getting the following alert from my SQL server:


[..snip...]

1 - 27 2002-10-07 20:27:31 spp_stream4: possible EVASIVE RST detection


[...snip...]

        If I comment out the stream4 parts of snort.conf, these messages
stop.
I want the stream4 part so I can check for port scanning. How can I get
snort to ignore these packets from my sql server?


Check the .conf file.  :)  It's listed in there.

#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.

And just FYI "A RST packet for a session came in and its sequence number was
either outside of the window or below the last ack received from the other
side of the connection."

That's from http://marc.theaimsgroup.com/?l=snort-devel&m=99408150913864&w=2

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

stream4 is alerting from my own MySQL Box??? Jeff Ramsey (Oct 08)
- Re: stream4 is alerting from my own MySQL Box??? Erek Adams (Oct 08)