[Snort-sigs] (spp_stream4) STEALTH ACTIVITY (unknown) detection

Matt Kettler mkettler at ...189...
Wed Jul 23 13:59:03 EDT 2003


At 04:19 PM 7/23/2003 -0400, Josh.Sakofsky at ...1573... wrote:

>when a user within my network tries to access http://www.sonystyle.com, i 
>end up with these types of alerts:
>
>
>------------------------------------------------------------------------------
>#(4 - 136849) [2003-07-23 13:20:33] [snort/1]  (spp_stream4) STEALTH 
>ACTIVITY (unknown) detection
>IPv4: 129.33.21.28 -> XXX.XXX.XXX.XXX
>      hlen=5 TOS=0 dlen=175 ID=35498 flags=0 offset=0 TTL=109 chksum=50030
>TCP:  port=80 -> dport: 38279  flags=***APR** seq=15200

<snip>

>does anybody have any idea why or how to turn this off?

remove the "detect_scans" part of your stream4 preprocessor statement in 
snort.conf.

#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set

APR is a pretty unusual flag combination for a legitimate webserver to be 
issuing. Sounds like the server in question is running some kind of badly 
broken TCP stack.






More information about the Snort-sigs mailing list