[Snort-users] spp_stream4 alerts "un-disable-able" ? :-)
edwin at ...2758...
Thu May 23 09:02:06 EDT 2002
I can't seem to disable the new fragroute detection alerts in snort Version
1.9-dev (Build 147).
I just tried the latest cvs version, but I still get flooded with hunderds
of alerts per minute. (i'm have to sniff a data stream of approx.
I get things like "(spp_stream4) possible EVASIVE RST detection"
and "(spp_stream4) Multiple Acked Packets (possible fragroute)" and many
Do I just have to wait because this off course is the development version,
or is this a real bug? (or something that has been forgotten)
Here is the preprocessor part of my snort.conf:
#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: memcap 64000000 disable_evasion_alerts
preprocessor stream4_reassemble: noalerts 1
#teveel:preprocessor unidecode: 80
#preprocessor unidecode: -unicode -cginull 80
#preprocessor http_decode: -unicode -cginull 80
# snort doesn't start anymore with -unicode and -cginull (errors)
preprocessor http_decode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
#preprocessor portscan: $HOME_NET 4 30 portscan.log
#preprocessor portscan-ignorehosts: $DNS_SERVERS
Met vriendelijke groet, /\ ___/
Edwin Eefting /- \ _/ Business Internet Trends BV
/--- \/ __________________
More information about the Snort-users