[Snort-devel] Stream 4 Question

Steven Sturges steve.sturges at ...402...
Tue Jan 24 05:54:12 EST 2006

Brent, Will--

You should be able to set a suppression for that particular
event ID to eliminate the evasive reset events that you see.

The next generation streaming module is in the works,
but we are at the tail end of the design phase at this point.

We do have something coming up that will make all preprocessor
events configurable the same way as rules.


Will Metcalf wrote:
> I know that there is talk of making the evasion alerting configurable
> like the decoder alerting but I have no idea where that is at the
> moment.  Maybe we will see it in stream5.  If you just want a quick
> and dirty hack to disable alerting on RST's from stream4 I have
> included a diff that will do that for you.  All it does is comment out
> the code that adds the STREAM4_EVASIVE_RST event to the snort event
> queue in spp_stream4.c.
> Regards,
> Will
> On 1/23/06, Brent Erickson <ericksonb at ...2853...> wrote:
>>Hello Snort developers,
>>I am a long time Snort user.
>>I have been using Snort since version 1.6 and currently run version 2.43.
>>Is it possible to run the Stream 4 processor with "disable_evasion
>>_alerts enabled, but some how disable evasive reset alerts that are
>>always seen with HTTP browsing resets?
>>I'd like to run the processor with "disable_evasion_alerts removed from
>>the default configuration but the evasive reset alerts go off constantly.
>>Many thanks for your help and time.
>>Brent Erickson

More information about the Snort-devel mailing list