[Snort-devel] Stream4 oddities

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue Apr 30 12:43:15 EDT 2002


I just recently tested the differences between builds 126 and 133.  I've
noticed something that appears to have changed.   We used to get these when
we had detect_state_problems turned on:  "spp_stream4: possible EVASIVE RST
detection"

We turned it off because of the massive amounts of alerts it generated that
were caused mostly by our network configuration.  Well... In 133, with the
exact same configuration, they now begin appearing at the rate they did with
detect_state....  Leads me to believe that now it's on by default and maybe
there's some new directive to force it off?

Also, of course is the new: "spp_stream4: TCP CHECKSUM CHANGED ON
RETRANSMISSION (possible fragroute) detection"...  

Does this mean that EVASIVE_RST is now a part of disable_evasion_alerts
instead of state_problems?




More information about the Snort-devel mailing list