Snort mailing list archives
I keep getting an alert from my own SQL server
From: Jeff Ramsey <ramsejc () tubafor com>
Date: 07 Oct 2002 13:38:02 -0700
Hi all, I keep getting the following alert from my SQL server: #BEGINNING OF ALERT ---------------------------------------------------- Meta ID # Time Triggered Signature 1 - 27 2002-10-07 20:27:31 spp_stream4: possible EVASIVE RST detection Sensor name interface filter XXX.XXX.XXX.XXX eth0 none Alert Group none IP source addr dest addr Ver Hdr Len TOS length ID flags offset TTL chksum XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 4 5 0 43 0 0 0 32 3189 FQDN Source Name Dest. Name mysqlserver.domain.com mysnortbox.domain.com Options none TCP source port dest port R 1 R 0 U R G A C K P S H R S T S Y N F I N seq # ack offset res window urp chksum 3306 1079 X X 3993767987 0 5 0 0 0 16296 Options none Payload length = 3 000 : 63 6B 6F cko #END OF ALERT ---------------------------------------------------------- If I comment out the stream4 parts of snort.conf, these messages stop. I want the stream4 part so I can check for port scanning. How can I get snort to ignore these packets from my sql server? -- Jeff Ramsey MIS Administrator Tubafor Mill, Inc. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I keep getting an alert from my own SQL server Jeff Ramsey (Oct 10)