Snort mailing list archives
RE: stream4 issues: possible EVASIVE RST detection
From: "Daniel Miessler" <danielrm26 () hotmail com>
Date: Tue, 15 Oct 2002 14:06:47 -0400
preprocessor stream4: detect_scans,disable_evasion_alerts,ttl_limit 0
Great! I knew there was something better than no_alerts. :) I knew it wasn't Demarc...just that stream4 preprocessor... in snort.conf. Thanks, man. --Daniel
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Miller, Eoin Sent: Tuesday, October 15, 2002 1:36 PM To: Daniel Miessler; Ben Keepper; snort-users () lists sourceforge net Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST
detection
i am also using demarc, this isnt something specific to demarc, its
the new code in
the stream4 preprocessor that was introduced, the chatter should be
reduced if you
disable the evasion alerts, here is how mine looks: --start snip snort.conf-- hope this helps-----Original Message----- From: Daniel Miessler [mailto:danielrm26 () hotmail com] Sent: Tuesday, October 15, 2002 1:16 PM To: 'Ben Keepper'; snort-users () lists sourceforge net Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST detection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1We are getting inundated by "spp:possible EVASIVE RSTdetection" alerts.I have tracked these down to about 20 NT 4 servers whereapparently theTCP/IP stacks are jacked.I had the same problem and am using Demarc as well. I haven't tried upgrading to 1.9 yet to see if that was the problem, but you can make that specific preprocessor be quiet while you look into the issue. Use the no_alerts option, or whatever it is, and that will quiet it down. - --danielrm26 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 (Build 294) BetaiQEVAwUBPaxNX/Lu0CaZEvl2AQKTJQf+O7NmDNmA1oQJbAJuN3QkT0x3kMmy JoMp3Ag0nW/+Xf5uVOyEpO1yDAXv0esve717BeK26QHd8A/ZQNrO6/Nmma1C8H69Y KYOyf6w++Gbpfzsv+1Ro6+b9Pl4HMUFLTI9m52fwor5G945sypziBxrqcGtBiiNQOxM1LoNDAJWWcpbGdvjmNFM8QsDKdEJCHDBlC1i6r3qgHiHqekjpNCa4ZZES/9BM4 jnsfUjPmMHsllEsxk82NBORZQn9SEabrw4j/na1lEVJFTVsBPzRD5DdBn0n+IYVLJosekGq26I10g2hEu0162AE5b2sOpcMTCuXN8EDaUldr4ZS3GPytYWNQ== =5i7V -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 14)
- Re: stream4 issues: possible EVASIVE RST detection Chris Reining (Oct 14)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- <Possible follow-ups>
- RE: stream4 issues: possible EVASIVE RST detection Miller, Eoin (Oct 15)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 17)