Snort mailing list archives

Previous By Date Next
Previous By Thread Next

I keep getting an alert from my own SQL server

From: Jeff Ramsey <ramsejc () tubafor com>
Date: 07 Oct 2002 13:38:02 -0700
Hi all,
        I keep getting the following alert from my SQL server:

#BEGINNING OF ALERT ----------------------------------------------------
Meta
ID # Time Triggered Signature
1 - 27 2002-10-07 20:27:31 spp_stream4: possible EVASIVE RST detection
Sensor name interface filter
XXX.XXX.XXX.XXX eth0  none 
Alert
Group   none 
IP
source addr   dest addr   Ver Hdr Len TOS length ID flags offset TTL
chksum
XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 4 5 0 43 0 0 0 32 3189
FQDN Source Name Dest. Name
mysqlserver.domain.com mysnortbox.domain.com
Options     none
TCP
source
port dest
  port   R
1 R
0 U
R
G A
C
K P
S
H R
S
T S
Y
N F
I
N seq # ack offset res window urp chksum
3306 1079 X X 3993767987 0 5 0 0 0 16296
Options     none
Payload

length = 3

000 : 63 6B 6F                                          cko
#END OF ALERT ----------------------------------------------------------

        If I comment out the stream4 parts of snort.conf, these messages stop.
I want the stream4 part so I can check for port scanning. How can I get
snort to ignore these packets from my sql server?
-- 

Jeff Ramsey
MIS Administrator
Tubafor Mill, Inc.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: