[Snort-devel] Stream 4 Question

Erickson Brent W KPWA erickson at ...593...
Tue Jan 24 08:09:06 EST 2006

Hello Steve and Will,

Thanks again.

Suppression was very easy to accomplish.

At the bottom of my configuration I added:

suppress gen_id 111, sig_id 2 (evasive RST packets)
suppress gen_id 111, sig_id 16 (TCP CHECKSUM CHANGED ON RETRANSMISSION)
suppress gen_id 111, sig_id 17 (TCP TOO FAST RETRANSMISSION WITH DIFFERENT

Sig_id 16 and 17 were going off against many known and semi-trusted hosts.

I may tune them for source and destination addresses or a CIDR range.

Your help is greatly appreciated.


-----Original Message-----
From: Erickson Brent W KPWA 
Sent: Tuesday, January 24, 2006 6:00 AM
To: 'Steven Sturges'; Will Metcalf
Cc: Brent Erickson; snort-devel at lists.sourceforge.net
Subject: RE: [Snort-devel] Stream 4 Question

Hello Steve and Will,

Thank you both very much for your responses.

I will look into the event ID suppression first.

I remember reading about it but I should have dug deeper.

And thanks for the diff Will.


-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of Steven Sturges
Sent: Tuesday, January 24, 2006 5:52 AM
To: Will Metcalf
Cc: Brent Erickson; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Stream 4 Question

Brent, Will--

You should be able to set a suppression for that particular
event ID to eliminate the evasive reset events that you see.

The next generation streaming module is in the works,
but we are at the tail end of the design phase at this point.

We do have something coming up that will make all preprocessor
events configurable the same way as rules.


Will Metcalf wrote:
> I know that there is talk of making the evasion alerting configurable
> like the decoder alerting but I have no idea where that is at the
> moment.  Maybe we will see it in stream5.  If you just want a quick
> and dirty hack to disable alerting on RST's from stream4 I have
> included a diff that will do that for you.  All it does is comment out
> the code that adds the STREAM4_EVASIVE_RST event to the snort event
> queue in spp_stream4.c.
> Regards,
> Will
> On 1/23/06, Brent Erickson <ericksonb at ...2853...> wrote:
>>Hello Snort developers,
>>I am a long time Snort user.
>>I have been using Snort since version 1.6 and currently run version 2.43.
>>Is it possible to run the Stream 4 processor with "disable_evasion
>>_alerts enabled, but some how disable evasive reset alerts that are
>>always seen with HTTP browsing resets?
>>I'd like to run the processor with "disable_evasion_alerts removed from
>>the default configuration but the evasive reset alerts go off constantly.
>>Many thanks for your help and time.
>>Brent Erickson

This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list