[Snort-users] Lots of "spp_stream4: TTL EVASION (reasemble) "

Mark Rowlands mark.rowlands at ...752...
Sat Jul 27 16:06:04 EDT 2002


On Thu July 25 2002 21:20, Augustinho Catto wrote:
> Dear gurus:
> Since I installed snort 1.87 version I received lots of alerts kind
> "spp_stream4: TTL EVASION (reassemble) detection ".
> It happened in spite of fact I´ve already set:
> "preprocessor stream4: disable_evasion_alerts" and
> "preprocessor stream4_reassemble: noalerts" in snort.conf.
> In this network exists a "Total Control" which receive dial-up
> connections.
> How could avoid this false alerts?
> TIA,
> Catto
>

try 

preprocessor stream4: detect_scans,disable_evasion,noalerts

and run it in cmdline mode first and check the Stream4 config output.




More information about the Snort-users mailing list