[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue May 21 07:39:02 EDT 2002


I compiled in the changes that you made to http_decode and tested
disable_evasion_alerts on this newest build (147).  This build is far less
noisy than the previous we attempted (139).  I think there's only one thing
left.  

I get:
(spp_stream4) TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE (possible
fragroute) detection
..about 10 times a minute (per sensor) even with disable_evasion_alerts
flag.

If it helps, I'm currently only testing on 2 interfaces; both are looking at
data going to our HTTP proxy servers.

Thanks for all your help on this stuff.

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, May 20, 2002 4:07 PM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Well, figures that I just nuked most of my dev database...   But here are
> the two I have left:
>
> (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible 
> fragroute) detection
> (spp_stream4) TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE 
> (possible
> fragroute) detection 

disable_evasion_alerts as an argument to stream4
-- 
Chris Green <cmg at ...402...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-devel mailing list