[Snort-users] stream4 issues: possible EVASIVE RST detection

Ben Keepper lists at ...3351...
Mon Oct 14 21:15:05 EDT 2002


I have just implemented a large (25 sensors plus) IDS of Snort on a
large corporate network.

We are getting inundated by "spp:possible EVASIVE RST detection" alerts.

I have tracked these down to about 20 NT 4 servers where apparently the
TCP/IP stacks are jacked.

In the mean time I need to eliminate these alerts.

After reading the FAQ and the archives, it seems I need to modify the
Stream4 preprocessor.

The FAQ specifies adding a "-z est" option to the command line.

I am a little confused as to the method of introducing this argument to
snort.
(We are using Demarc for Snort management).

So do I have to modify Demarc to start Snort with the "-z est" options
or can this be done via snort.conf.

Or is there a better way to modify the preprocessor to keep the benefits
but turn down the noise?

Any help would be greatly appreciated.

TIA,

Ben 







More information about the Snort-users mailing list