Snort mailing list archives
stream4 issues: possible EVASIVE RST detection
From: Ben Keepper <lists () paladinss com>
Date: 14 Oct 2002 21:14:21 -0700
I have just implemented a large (25 sensors plus) IDS of Snort on a large corporate network. We are getting inundated by "spp:possible EVASIVE RST detection" alerts. I have tracked these down to about 20 NT 4 servers where apparently the TCP/IP stacks are jacked. In the mean time I need to eliminate these alerts. After reading the FAQ and the archives, it seems I need to modify the Stream4 preprocessor. The FAQ specifies adding a "-z est" option to the command line. I am a little confused as to the method of introducing this argument to snort. (We are using Demarc for Snort management). So do I have to modify Demarc to start Snort with the "-z est" options or can this be done via snort.conf. Or is there a better way to modify the preprocessor to keep the benefits but turn down the noise? Any help would be greatly appreciated. TIA, Ben ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 14)
- Re: stream4 issues: possible EVASIVE RST detection Chris Reining (Oct 14)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- <Possible follow-ups>
- RE: stream4 issues: possible EVASIVE RST detection Miller, Eoin (Oct 15)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 17)