RE: stream4 issues: possible EVASIVE RST detection

["Daniel Miessler" <danielrm26 () hotmail com>]

> preprocessor stream4: detect_scans,disable_evasion_alerts,ttl_limit 0

Great!  I knew there was something better than no_alerts.  :)  I knew it
wasn't Demarc...just that stream4 preprocessor... in snort.conf.

Thanks, man.

--Daniel

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of Miller, Eoin
> Sent: Tuesday, October 15, 2002 1:36 PM
> To: Daniel Miessler; Ben Keepper; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST
detection
> i am also using demarc, this isnt something specific to demarc, its
the new code in
> the stream4 preprocessor that was introduced, the chatter should be
reduced if you
> disable the evasion alerts, here is how mine looks:
>
> --start snip snort.conf--
>
> hope this helps
>
> > -----Original Message-----
> > From: Daniel Miessler [mailto:danielrm26 () hotmail com]
> > Sent: Tuesday, October 15, 2002 1:16 PM
> > To: 'Ben Keepper'; snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST
> > detection
> >
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > We are getting inundated by "spp:possible EVASIVE RST
> > detection" alerts.
> > > I have tracked these down to about 20 NT 4 servers where
> > apparently the
> > > TCP/IP stacks are jacked.
> >
> > I had the same problem and am using Demarc as well.   I
> > haven't tried upgrading to 1.9 yet to see if that was the
> > problem, but you can make that specific preprocessor be quiet
> > while you look into the issue.  Use the no_alerts option, or
> > whatever it is, and that will quiet it down.
> >
> > - --danielrm26
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0 (Build 294) Beta
> iQEVAwUBPaxNX/Lu0CaZEvl2AQKTJQf+O7NmDNmA1oQJbAJuN3QkT0x3kMmy
> JoMp
> >
> 3Ag0nW/+Xf5uVOyEpO1yDAXv0esve717BeK26QHd8A/ZQNrO6/Nmma1C8H69Y
> KYO
> > yf6w++Gbpfzsv+1Ro6+b9Pl4HMUFLTI9m52fwor5G945sypziBxrqcGtBiiNQOxM
> 1LoNDAJWWcpbGdvjmNFM8QsDKdEJCHDBlC1i6r3qgHiHqekjpNCa4ZZES/9BM4
> jn
> >
> sfUjPmMHsllEsxk82NBORZQn9SEabrw4j/na1lEVJFTVsBPzRD5DdBn0n+IYVLJo
> > sekGq26I10g2hEu0162AE5b2sOpcMTCuXN8EDaUldr4ZS3GPytYWNQ==
> > =5i7V
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users