[Snort-users] stream4 issues: possible EVASIVE RST detection
lists at ...3351...
Mon Oct 14 21:15:05 EDT 2002
I have just implemented a large (25 sensors plus) IDS of Snort on a
large corporate network.
We are getting inundated by "spp:possible EVASIVE RST detection" alerts.
I have tracked these down to about 20 NT 4 servers where apparently the
TCP/IP stacks are jacked.
In the mean time I need to eliminate these alerts.
After reading the FAQ and the archives, it seems I need to modify the
The FAQ specifies adding a "-z est" option to the command line.
I am a little confused as to the method of introducing this argument to
(We are using Demarc for Snort management).
So do I have to modify Demarc to start Snort with the "-z est" options
or can this be done via snort.conf.
Or is there a better way to modify the preprocessor to keep the benefits
but turn down the noise?
Any help would be greatly appreciated.
More information about the Snort-users