[Snort-devel] Stream 4 Question

Erickson Brent W KPWA erickson at ...593...
Tue Jan 24 06:01:03 EST 2006

Hello Steve and Will,

Thank you both very much for your responses.

I will look into the event ID suppression first.

I remember reading about it but I should have dug deeper.

And thanks for the diff Will.


-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of Steven Sturges
Sent: Tuesday, January 24, 2006 5:52 AM
To: Will Metcalf
Cc: Brent Erickson; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Stream 4 Question

Brent, Will--

You should be able to set a suppression for that particular
event ID to eliminate the evasive reset events that you see.

The next generation streaming module is in the works,
but we are at the tail end of the design phase at this point.

We do have something coming up that will make all preprocessor
events configurable the same way as rules.


Will Metcalf wrote:
> I know that there is talk of making the evasion alerting configurable
> like the decoder alerting but I have no idea where that is at the
> moment.  Maybe we will see it in stream5.  If you just want a quick
> and dirty hack to disable alerting on RST's from stream4 I have
> included a diff that will do that for you.  All it does is comment out
> the code that adds the STREAM4_EVASIVE_RST event to the snort event
> queue in spp_stream4.c.
> Regards,
> Will
> On 1/23/06, Brent Erickson <ericksonb at ...2853...> wrote:
>>Hello Snort developers,
>>I am a long time Snort user.
>>I have been using Snort since version 1.6 and currently run version 2.43.
>>Is it possible to run the Stream 4 processor with "disable_evasion
>>_alerts enabled, but some how disable evasive reset alerts that are
>>always seen with HTTP browsing resets?
>>I'd like to run the processor with "disable_evasion_alerts removed from
>>the default configuration but the evasive reset alerts go off constantly.
>>Many thanks for your help and time.
>>Brent Erickson

This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list