Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stream4

From: Erek Adams <erek () snort org>
Date: Thu, 10 Apr 2003 12:02:14 -0400 (EDT)
On Thu, 10 Apr 2003, Steven Rudolph wrote:


Is it possible to ignore hosts in the stream 4 plug-in.
I have some load balancers that send out traffic that alerts very
frequently on this.
I really do not want to log this traffic.
Here is an example alert:

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
04/10-11:46:11.071796 aaa.bbb.131.12:1050 -> aaa.bbb.135.123:80
TCP TTL:62 TOS:0x0 ID:5451 IpLen:20 DgmLen:40 DF
1****R** Seq: 0x462F0BD0  Ack: 0x0  Win: 0x0  TcpLen: 20


There really isn't an 'ignore' directive for stream4.  You'll have to use
a BPF filter.  You can look at the BPF part of this [0], and for more info
see the tcpdump manpage [1].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]     http://www.theadamsfamily.net/~erek/snort/ignore.txt
[1]     Tcpdump.org seems to be unreachable, so...
        http://www.fifi.org/cgi-bin/man2html/usr/share/man/man8/tcpdump.8.gz


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: