[Snort-devel] Stream 4 Question

Will Metcalf william.metcalf at ...2499...
Mon Jan 23 22:55:02 EST 2006


I know that there is talk of making the evasion alerting configurable
like the decoder alerting but I have no idea where that is at the
moment.  Maybe we will see it in stream5.  If you just want a quick
and dirty hack to disable alerting on RST's from stream4 I have
included a diff that will do that for you.  All it does is comment out
the code that adds the STREAM4_EVASIVE_RST event to the snort event
queue in spp_stream4.c.

Regards,

Will

On 1/23/06, Brent Erickson <ericksonb at ...2853...> wrote:
> Hello Snort developers,
>
> I am a long time Snort user.
>
> I have been using Snort since version 1.6 and currently run version 2.43.
>
> Is it possible to run the Stream 4 processor with "disable_evasion
> _alerts enabled, but some how disable evasive reset alerts that are
> always seen with HTTP browsing resets?
>
> I'd like to run the processor with "disable_evasion_alerts removed from
> the default configuration but the evasive reset alerts go off constantly.
>
> Many thanks for your help and time.
>
> Sincerely,
>
> Brent Erickson
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-2.4.3-no-rst-alert-hack.diff
Type: application/octet-stream
Size: 1474 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060123/1bba52c9/attachment.obj>


More information about the Snort-devel mailing list