[Snort-users] stream4 issues: possible EVASIVE RST detection

Chris Reining creining at ...6890...
Mon Oct 14 21:45:05 EDT 2002


You want to pass the disable_evasion_alerts argument to stream4 in
snort.conf.

Bye

On 14 Oct 2002 21:14:21 -0700
Ben Keepper <lists at ...3351...> wrote:

> I have just implemented a large (25 sensors plus) IDS of Snort on a
> large corporate network.
> 
> We are getting inundated by "spp:possible EVASIVE RST detection"
> alerts.
> 
> I have tracked these down to about 20 NT 4 servers where apparently
> the TCP/IP stacks are jacked.
> 
> In the mean time I need to eliminate these alerts.
> 
> After reading the FAQ and the archives, it seems I need to modify the
> Stream4 preprocessor.
> 
> The FAQ specifies adding a "-z est" option to the command line.
> 
> I am a little confused as to the method of introducing this argument
> to snort.
> (We are using Demarc for Snort management).
> 
> So do I have to modify Demarc to start Snort with the "-z est" options
> or can this be done via snort.conf.
> 
> Or is there a better way to modify the preprocessor to keep the
> benefits but turn down the noise?
> 
> Any help would be greatly appreciated.
> 
> TIA,
> 
> Ben 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list