[Snort-devel] Stream4 oddity2

Pascal Bouchareine pb at ...858...
Mon May 13 02:50:03 EDT 2002


Same here.

I had a quick look to the code, the if (s4data.evasion_alert or alike..)
is present for *most* alerts. However, despite my disable_ev._alerts,
this still screams.. Gnhi ?

With an asymetric routing scheme and no state exchange between my sensors,
this gives a *lot* (4000, 5000 per minute) of alerts of this kind.

We will definitively need a way to mute this as code gets tuned,
maybe with some degree of details [as far as this alerts on, say, a TTL 
change, which here is not wanted].

On Tue, Apr 30, 2002 at 02:41:14PM -0500, Kreimendahl, Chad J wrote:
> 
> Sorry about this, I meant to include it, but have had quite a bit going on
> today:
> 
> Here's my stream4 setup: w/ 126 and 133
> preprocessor stream4: detect_scans, disable_evasion_alerts, memcap 67108864,
> timeout 30
> 
> I get massive amounts of "spp_stream4: TCP CHECKSUM CHANGED ON
> RETRANSMISSION (possible fragroute) detection " even with
> 'disable_evasion_alerts'
> 
> Anyone?
> 
> _______________________________________________________________
> 
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth at ...1372...
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
Kalou
Plan to be spontaneous tomorrow




More information about the Snort-devel mailing list