[Snort-users] spp_stream4

Joe McAlerney joey at ...47...
Tue Jul 9 14:37:12 EDT 2002

Yeah, Snort detects the packet being sent to the web proxy has a
different checksum than the one being sent from the web proxy. 
Fragrouted traffic from a single source can look like this.  Snort's
saying "Ah ha! you have already sent this packet, and the one your are
sending again is different!"  You can look into the fragroute docs for
information on why this is fun.

So to turn this off you can add the "disable_evasion_alerts" argument to
the stream4 preprocessor.

preprocessor stream4: detect_scans, disable_evasion_alerts

Hope this helps,

-Joe M.

Joe McAlerney
Silicon Defense: IDS Solutions

Jason Gauthier wrote:
> I have started snort up, and am fine tuning my rules. I'm getting this
> message ALOT.
> It comes from the same system everytime.  My transparent web proxy.
> I'm not really understanding what's going on. I'm guessing that this is the
> stream4 preprocessor and the message is coming up because it's transparently
> sending it to another box.
> My question then, since this is a "false positive", is what can I do about
> ignoring it?
> Thanks kindly,
> Jason
> ======================
> Message:
> spp_stream4: TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute)
> detection
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Stuff, things, and much much more.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list