[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon May 20 13:50:03 EDT 2002


Well, figures that I just nuked most of my dev database...   But here are
the two I have left:

(spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute)
detection
(spp_stream4) TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE (possible
fragroute) detection 

And... Sweet.

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, May 20, 2002 3:38 PM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Asynchlink question...
>
> Nope, we actually don't, but it seemed to be the only way to avoid the 
> large burden of several evasion alerts that were actually not evasions 
> (our firewall or core router causes most of them to happen).

Evasion alerts from what?  Whats the prefix? :-)

anyway, I have now added internal_alerts option to http_decode if you want
alerts from the http decoder.  That's being worked on as well. It's noiser
than the old one :)
-- 
Chris Green <cmg at ...402...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-devel mailing list