Snort mailing list archives
Re: stream4
From: Erek Adams <erek () snort org>
Date: Thu, 10 Apr 2003 12:02:14 -0400 (EDT)
On Thu, 10 Apr 2003, Steven Rudolph wrote:
Is it possible to ignore hosts in the stream 4 plug-in. I have some load balancers that send out traffic that alerts very frequently on this. I really do not want to log this traffic. Here is an example alert: [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**] 04/10-11:46:11.071796 aaa.bbb.131.12:1050 -> aaa.bbb.135.123:80 TCP TTL:62 TOS:0x0 ID:5451 IpLen:20 DgmLen:40 DF 1****R** Seq: 0x462F0BD0 Ack: 0x0 Win: 0x0 TcpLen: 20
There really isn't an 'ignore' directive for stream4. You'll have to use a BPF filter. You can look at the BPF part of this [0], and for more info see the tcpdump manpage [1]. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.theadamsfamily.net/~erek/snort/ignore.txt [1] Tcpdump.org seems to be unreachable, so... http://www.fifi.org/cgi-bin/man2html/usr/share/man/man8/tcpdump.8.gz ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 Steven Rudolph (Apr 10)
- Re: stream4 Erek Adams (Apr 10)
- Re: stream4 Chris Green (Apr 10)
- Re: stream4 Erek Adams (Apr 10)