[Snort-devel] stream4 feature request?

Chris Green cmg at ...402...
Thu Apr 25 07:56:03 EDT 2002


Jon Hart <jhart at ...1288...> writes:

> 'afternoon,
>
> As per some traffic on #snort, I've been giving the CVS version of 1.9 a go
> on my sensor.  
>
> While I can't say I've seen any bugs, one thing that would make testing
> easier would be the ability to turn individual stream4/frag2 tests on or
> off.  I could only manage to find a handful of such options.  
>
> For example, if the focus was currently on ttl tweakage in IDS evasion, it
> would be cool to use stream4 to detect ttl evasion and ttl evasion only.

Yes, after real world usage and having a reason for the stream
assembler to really alert, we will have to do this and have a
"ignore_common" or something like that option
-- 
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.





More information about the Snort-devel mailing list