[Snort-users] stream4 issues: possible EVASIVE RST detection

Daniel Miessler danielrm26 at ...125...
Tue Oct 15 11:07:04 EDT 2002


> preprocessor stream4: detect_scans,disable_evasion_alerts,ttl_limit 0

Great!  I knew there was something better than no_alerts.  :)  I knew it
wasn't Demarc...just that stream4 preprocessor... in snort.conf.

Thanks, man.

--Daniel

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Miller, Eoin
> Sent: Tuesday, October 15, 2002 1:36 PM
> To: Daniel Miessler; Ben Keepper; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST
detection
> 
> i am also using demarc, this isnt something specific to demarc, its
the new code in
> the stream4 preprocessor that was introduced, the chatter should be
reduced if you
> disable the evasion alerts, here is how mine looks:
> 
> --start snip snort.conf--
> 
> hope this helps
> 
> > -----Original Message-----
> > From: Daniel Miessler [mailto:danielrm26 at ...125...]
> > Sent: Tuesday, October 15, 2002 1:16 PM
> > To: 'Ben Keepper'; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] stream4 issues: possible EVASIVE RST
> > detection
> >
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > We are getting inundated by "spp:possible EVASIVE RST
> > detection" alerts.
> > >
> > > I have tracked these down to about 20 NT 4 servers where
> > apparently the
> > > TCP/IP stacks are jacked.
> >
> > I had the same problem and am using Demarc as well.   I
> > haven't tried upgrading to 1.9 yet to see if that was the
> > problem, but you can make that specific preprocessor be quiet
> > while you look into the issue.  Use the no_alerts option, or
> > whatever it is, and that will quiet it down.
> >
> > - --danielrm26
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 8.0 (Build 294) Beta
> >
> >
> iQEVAwUBPaxNX/Lu0CaZEvl2AQKTJQf+O7NmDNmA1oQJbAJuN3QkT0x3kMmy
> JoMp
> >
> 3Ag0nW/+Xf5uVOyEpO1yDAXv0esve717BeK26QHd8A/ZQNrO6/Nmma1C8H69Y
> KYO
> > yf6w++Gbpfzsv+1Ro6+b9Pl4HMUFLTI9m52fwor5G945sypziBxrqcGtBiiNQOxM
> >
> 1LoNDAJWWcpbGdvjmNFM8QsDKdEJCHDBlC1i6r3qgHiHqekjpNCa4ZZES/9BM4
> jn
> >
> sfUjPmMHsllEsxk82NBORZQn9SEabrw4j/na1lEVJFTVsBPzRD5DdBn0n+IYVLJo
> > sekGq26I10g2hEu0162AE5b2sOpcMTCuXN8EDaUldr4ZS3GPytYWNQ==
> > =5i7V
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list