[Snort-users] spp_stream4: TTL EVASION (reassemble) detection?

bthaler at ...2720... bthaler at ...2720...
Mon Jul 15 11:56:08 EDT 2002

Hi.  I just upgraded my 1.8.6 to 1.8.7, and now I'm getting tons of
"spp_stream4: TTL EVASION (reassemble) detection "

My snort.conf has:
preprocessor stream4: detect_scans, disable_evasion_alerts

I assumed that this setting would eliminate these alerts, but it doesn't appear to be working.  The signature does say "reassemble",
but I don't see any similar option for stream4_reassemble.

Any help is appreciated.


Brad T.

More information about the Snort-users mailing list