[Snort-devel] another stream4 problem

Vitaly Osipov vosipov at ...440...
Mon Jul 2 09:58:24 EDT 2001


Martin Roesch wrote:
> 
> It probably means that I need to tune things a little more. :)  Some (a
> lot) of the activity that it's detecting is probably bogus, but I find
> those WINDOW VIOLATION alerts interesting.  What's the primary platform
> on your network?  I'm going to tune the STEALTH ACTIVITY alerts today to
> not pop for certain things, and I'm also going to fix the code so that
> you can actually turn the alerts off. :)
> 

about platforms - I've read in the code that stream4 has some problems
with microsoft stacks - so it looks like it reacts on each MS based
client going, for example to a solaris-based server running Apache. We
have both NT/IIS and Solaris/Apache, but it looks like there is no
difference in a number of alerts (relative to the traffic volume, of
course)

regards,
Vitaly.


> 
> > spp_stream4: WINDOW VIOLATION detection      55097 (40%)
> 
> You get these when Snort sees data in a packet that goes outside the
> current window size for the session.
> 
> > what does this all mean? (dont tell me that it's normal and that my
> > servers have stupid MS tcp/ip stack - they do not (at least most of
> > them) :) )
> 
> Bear with me, this thing is still in beta... :)
> 
>      -Marty
> 
> --
> Martin Roesch
> roesch at ...402...
> http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list