[Snort-devel] Stream4 oddity2
pb at ...858...
Mon May 13 02:50:03 EDT 2002
I had a quick look to the code, the if (s4data.evasion_alert or alike..)
is present for *most* alerts. However, despite my disable_ev._alerts,
this still screams.. Gnhi ?
With an asymetric routing scheme and no state exchange between my sensors,
this gives a *lot* (4000, 5000 per minute) of alerts of this kind.
We will definitively need a way to mute this as code gets tuned,
maybe with some degree of details [as far as this alerts on, say, a TTL
change, which here is not wanted].
On Tue, Apr 30, 2002 at 02:41:14PM -0500, Kreimendahl, Chad J wrote:
> Sorry about this, I meant to include it, but have had quite a bit going on
> Here's my stream4 setup: w/ 126 and 133
> preprocessor stream4: detect_scans, disable_evasion_alerts, memcap 67108864,
> timeout 30
> I get massive amounts of "spp_stream4: TCP CHECKSUM CHANGED ON
> RETRANSMISSION (possible fragroute) detection " even with
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth at ...1372...
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Plan to be spontaneous tomorrow
More information about the Snort-devel