[Snort-devel] Stream 4 Question

Will Metcalf william.metcalf at ...2499...
Tue Jan 24 06:04:02 EST 2006


> And thanks for the diff Will.
>

Happy to kill a fly with a sledgehammer anytime.  You should listen to
Steve and use event suppression.

Regards,

Will

On 1/24/06, Erickson Brent W KPWA <erickson at ...593...> wrote:
> Hello Steve and Will,
>
> Thank you both very much for your responses.
>
> I will look into the event ID suppression first.
>
> I remember reading about it but I should have dug deeper.
>
> And thanks for the diff Will.
>
> Brent
>
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of Steven Sturges
> Sent: Tuesday, January 24, 2006 5:52 AM
> To: Will Metcalf
> Cc: Brent Erickson; snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] Stream 4 Question
>
>
> Brent, Will--
>
> You should be able to set a suppression for that particular
> event ID to eliminate the evasive reset events that you see.
>
> The next generation streaming module is in the works,
> but we are at the tail end of the design phase at this point.
>
> We do have something coming up that will make all preprocessor
> events configurable the same way as rules.
>
> Cheers.
> -steve
>
> Will Metcalf wrote:
> > I know that there is talk of making the evasion alerting configurable
> > like the decoder alerting but I have no idea where that is at the
> > moment.  Maybe we will see it in stream5.  If you just want a quick
> > and dirty hack to disable alerting on RST's from stream4 I have
> > included a diff that will do that for you.  All it does is comment out
> > the code that adds the STREAM4_EVASIVE_RST event to the snort event
> > queue in spp_stream4.c.
> >
> > Regards,
> >
> > Will
> >
> > On 1/23/06, Brent Erickson <ericksonb at ...2853...> wrote:
> >
> >>Hello Snort developers,
> >>
> >>I am a long time Snort user.
> >>
> >>I have been using Snort since version 1.6 and currently run version 2.43.
> >>
> >>Is it possible to run the Stream 4 processor with "disable_evasion
> >>_alerts enabled, but some how disable evasive reset alerts that are
> >>always seen with HTTP browsing resets?
> >>
> >>I'd like to run the processor with "disable_evasion_alerts removed from
> >>the default configuration but the evasive reset alerts go off constantly.
> >>
> >>Many thanks for your help and time.
> >>
> >>Sincerely,
> >>
> >>Brent Erickson
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list