[Snort-users] spp_stream4: TTL EVASION (reassemble) detection

Pedro Tedeschi pedro.tedeschi at ...6753...
Fri Sep 20 07:54:03 EDT 2002

McCammon, thanks for you reply

My comments in snort.conf are these:

preprocessor stream4: detect_scans, disable_evasion_alerts, noalerts
The "disable_evasion_alerts" are there in snort.conf, but i'm still recieve evasion alerts.
I'm really need help, because my database are working full for this alerts.


----- Original Message ----- 
  From: McCammon, Keith 
  To: Pedro Tedeschi ; snort-users at lists.sourceforge.net 
  Sent: Friday, September 20, 2002 11:45 AM
  Subject: RE: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection

  Read your comments in snort.conf: 

  disable_evasion_alerts - turn off the possibly noisy mitigation of overlapping sequences.

  You can uncomment this in the stream4 options.
    -----Original Message-----
    From: Pedro Tedeschi [mailto:pedro.tedeschi at ...6753...]
    Sent: Friday, September 20, 2002 10:32 AM
    To: snort-users at lists.sourceforge.net
    Subject: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection

    Hi, whats means this rule? 
    "spp_stream4: TTL EVASION (reassemble) detection"

    I didn't find  this one in the rules path, and i'm recieve more than 56000 attacks about this rule ...

    Is this rule are important? If not, i would like to know, how i can remove this rule ...

    Thanks in advance


    Pedro Tedeschi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020920/908a1e57/attachment.html>

More information about the Snort-users mailing list