[Snort-users] I keep getting an alert from my own SQL server

Jeff Ramsey ramsejc at ...7107...
Thu Oct 10 08:13:25 EDT 2002


Hi all,
	I keep getting the following alert from my SQL server:

#BEGINNING OF ALERT ----------------------------------------------------
Meta
ID # Time Triggered Signature
1 - 27 2002-10-07 20:27:31 spp_stream4: possible EVASIVE RST detection
Sensor name interface filter
XXX.XXX.XXX.XXX eth0  none 
Alert
Group   none 
IP
source addr   dest addr   Ver Hdr Len TOS length ID flags offset TTL
chksum
XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 4 5 0 43 0 0 0 32 3189
FQDN Source Name Dest. Name
mysqlserver.domain.com mysnortbox.domain.com
Options     none
TCP
source
port dest
  port   R
1 R
0 U
R
G A
C
K P
S
H R
S
T S
Y
N F
I
N seq # ack offset res window urp chksum
3306 1079 X X 3993767987 0 5 0 0 0 16296
Options     none
Payload

length = 3

000 : 63 6B 6F                                          cko
#END OF ALERT ----------------------------------------------------------

	If I comment out the stream4 parts of snort.conf, these messages stop.
I want the stream4 part so I can check for port scanning. How can I get
snort to ignore these packets from my sql server?
-- 

Jeff Ramsey
MIS Administrator
Tubafor Mill, Inc.






More information about the Snort-users mailing list