[Snort-users] spp_stream4 alerts "un-disable-able" ? :-)

Edwin Eefting edwin at ...2758...
Thu May 23 09:02:06 EDT 2002


I can't seem to disable the new fragroute detection alerts in snort Version
1.9-dev (Build 147).

I just tried the latest cvs version, but I still get flooded with hunderds
of alerts per minute. (i'm have to sniff a data stream of approx.

I get things like "(spp_stream4) possible EVASIVE RST detection"
and "(spp_stream4) Multiple Acked Packets (possible fragroute)" and many

Do I just have to wait because this off course is the development version,
or is this a real bug? (or something that has been forgotten)

Here is the preprocessor part of my snort.conf:
#preprocessor defrag
preprocessor frag2

#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: memcap 64000000 disable_evasion_alerts
preprocessor stream4_reassemble: noalerts 1 

#teveel:preprocessor unidecode: 80
#preprocessor unidecode: -unicode -cginull 80
#preprocessor http_decode: -unicode -cginull 80
# snort doesn't start anymore with -unicode and -cginull (errors)
preprocessor http_decode: 80

preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
#preprocessor portscan: $HOME_NET 4 30 portscan.log
#preprocessor portscan-ignorehosts: $DNS_SERVERS

preprocessor arpspoof

Edwin Eefting
Met vriendelijke groet,      /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________

More information about the Snort-users mailing list