Snort mailing list archives
stream4 issues: possible EVASIVE RST detection
From: "Ben Keepper" <bkeepper () Paladinss com>
Date: Mon, 14 Oct 2002 10:35:28 -0700
I have just implemented a large (25 sensors plus) IDS of Snort on a large corporate network. We are getting inundated by "spp:possible EVASIVE RST detection" alerts. I have tracked these down to about 20 NT 4 servers where apparently the TCP/IP stacks are jacked. In the mean time I need to eliminate these alerts. After reading the FAQ and the archives, it seems I need to modify the Stream4 preprocessor. The FAQ specifies adding a "-z est" option to the command line. I am a little confused as to the method of introducing this argument to snort. (We are using Demarc for Snort management). So do I have to modify Demarc to start Snort with the "-z est" options or can this be done via snort.conf. Any help would be greatly appreciated. TIA, Ben ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 14)
- Re: stream4 issues: possible EVASIVE RST detection Chris Reining (Oct 14)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- <Possible follow-ups>
- RE: stream4 issues: possible EVASIVE RST detection Miller, Eoin (Oct 15)
- RE: stream4 issues: possible EVASIVE RST detection Daniel Miessler (Oct 15)
- stream4 issues: possible EVASIVE RST detection Ben Keepper (Oct 17)