[Snort-sigs] stream4

Marcus Schwartz mschwa04 at ...136...
Sun Sep 30 21:03:02 EDT 2001


I've got an issue with the stream4 preprocessor and the area I'm trying
to monitor.  I just want snort to report on network activity to/from the
computer it's running on, and I'm able to do that for the regular rules,
but the preprocessors (most annoyingly stream4) are bothering me with
traffic that doesn't concern me (i.e. it's from and to ip addresses that
are from other devices on the LAN, and are neither to nor from me).  Is
there a way to have stream4 only alert me of traffic to/from me?  I
tried putting noalerts in stream4_reassemble so I wouldn't get any
alerts from stream4 at all, but it still kept sending me alerts.
Particularly annoying is that it reports "spp_stream4: STEALTH ACTIVITY
(Vecna scan) detection" frequently whenever anybody on my LAN who is
using the fasttrak/kazaa/morpheus filesharing service gets connected to
by another fasttrak/kazaa/morpheus client (incidentally, this particular
service only connects port 1214, which could be useful for keeping snort
from alerting me whenever I'm using one of these services).  So is there
any way to only be bothered by attacks on me, not attacks to anywhere on
my LAN?  I don't want to disable alerts from other computers on my LAN
to me, only alerts that don't involve me at all.  I've tried running it
with promiscuous node turned off, but then it didn't detect anything at
all, and snort never used any cpu.

I'm using snort 1.8.1b79 win32 static with the default ruleset, somewhat
modified.  I'm launching it with idscenter 1.08d, the commandline is
C:\Stuff\Snort\snort.exe -c C:\Stuff\Snort\snort.conf -l
C:\Stuff\Snort\logs -N -A full -h myipremoved/32 -i 1 -o -G url
My stream4 related settings are
preprocessor stream4: detect_scans,memcap 33554432
preprocessor stream4_reassemble: clientonly,ports 21 23 25 63 80 143 110
111 513 9874 9875 9876 9877

Help would be greatly appreciated.

 -=Marcus





More information about the Snort-sigs mailing list