joey at ...47...
Tue Jul 9 14:37:12 EDT 2002
Yeah, Snort detects the packet being sent to the web proxy has a
different checksum than the one being sent from the web proxy.
Fragrouted traffic from a single source can look like this. Snort's
saying "Ah ha! you have already sent this packet, and the one your are
sending again is different!" You can look into the fragroute docs for
information on why this is fun.
So to turn this off you can add the "disable_evasion_alerts" argument to
the stream4 preprocessor.
preprocessor stream4: detect_scans, disable_evasion_alerts
Hope this helps,
Silicon Defense: IDS Solutions
Jason Gauthier wrote:
> I have started snort up, and am fine tuning my rules. I'm getting this
> message ALOT.
> It comes from the same system everytime. My transparent web proxy.
> I'm not really understanding what's going on. I'm guessing that this is the
> stream4 preprocessor and the message is coming up because it's transparently
> sending it to another box.
> My question then, since this is a "false positive", is what can I do about
> ignoring it?
> Thanks kindly,
> spp_stream4: TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute)
> This sf.net email is sponsored by:ThinkGeek
> Stuff, things, and much much more.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users