[Snort-users] stream4 issues: possible EVASIVE RST detection
creining at ...6890...
Mon Oct 14 21:45:05 EDT 2002
You want to pass the disable_evasion_alerts argument to stream4 in
On 14 Oct 2002 21:14:21 -0700
Ben Keepper <lists at ...3351...> wrote:
> I have just implemented a large (25 sensors plus) IDS of Snort on a
> large corporate network.
> We are getting inundated by "spp:possible EVASIVE RST detection"
> I have tracked these down to about 20 NT 4 servers where apparently
> the TCP/IP stacks are jacked.
> In the mean time I need to eliminate these alerts.
> After reading the FAQ and the archives, it seems I need to modify the
> Stream4 preprocessor.
> The FAQ specifies adding a "-z est" option to the command line.
> I am a little confused as to the method of introducing this argument
> to snort.
> (We are using Demarc for Snort management).
> So do I have to modify Demarc to start Snort with the "-z est" options
> or can this be done via snort.conf.
> Or is there a better way to modify the preprocessor to keep the
> benefits but turn down the noise?
> Any help would be greatly appreciated.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users