[Snort-users] How do I stop all alerts generated by 'ssp_stream4'? (snort 1.9.0 )

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Mon Oct 21 07:53:02 EDT 2002


These two options to stream4 should solve both of those:

disable_evasion_alerts, ttl_limit 0

-----Original Message-----
From: Bryce Stenberg [mailto:bryce at ...5010...] 
Sent: Sunday, October 20, 2002 4:23 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] How do I stop all alerts generated by
'ssp_stream4'? (snort 1.9.0 )


Hi All,

I have a problem with my logs filling with unwanted alerts from
'spp_stream4'.
I'm using Snort 1.9.0 on Windows NT4 sp6 servers.
I do want packets reassembled but I don't want any alerts.
My 'snort.conf' settings relating to stream4 are:
	
	# stream4: stateful inspection/stream reassembly for Snort:
	preprocessor stream4: noinspect
	
	# tcp stream reassembly directive:
	preprocessor stream4_reassemble: both, ports all, noalerts


My logs are filling with the likes of:

[**] [111:18:1] (spp_stream4) Multiple Acked Packets (possible
fragroute)
[**]
10/21-10:08:41.883332 192.168.0.7:1257 -> 192.168.0.240:6400
TCP TTL:128 TOS:0x0 ID:17792 IpLen:20 DgmLen:73 DF
***AP*** Seq: 0x9D744AC5  Ack: 0x610FCA  Win: 0x2054  TcpLen: 20

OR:

[**] [111:16:1] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION
(possible fragroute) detection [**]
10/21-10:01:11.151709 192.168.0.6:139 -> 192.168.0.23:2898
TCP TTL:128 TOS:0x0 ID:45791 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC4F73351  Ack: 0x1FAC281A  Win: 0x2238  TcpLen: 20


Does anyone know what I'm doing wrong here or what I'm missing please?
(I am assuming the above log entries do tie in to the stream4 settings
in
snort.conf).
I run no rules files except one - local.rules which is only looking for
specific outgoing text.


Thanks,
  Bryce Stenberg.
     Harness Racing New Zealand computer department,
     emailto:bryce at ...5010...
 


CAUTION: This email message and accompanying data may contain
information
that is confidential and subject to legal privilege. If you are not the
intended recipient you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you
have
received this email message in error please notify us immediately and
erase
all copies of the message and attachments.
 ALSO, unless expressly stated otherwise, the contents of this message
represent only the views of the sender as expressed only to the intended
recipient, do not commit Harness Racing New Zealand (HRNZ) to any course
of
action and are not intended to impose any legal obligation upon HRNZ.




-------------------------------------------------------
This sf.net email is sponsored by:
Access Your PC Securely with GoToMyPC. Try Free Now
https://www.gotomypc.com/s/OSND/DD
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list