[Snort-users] spp_stream4: TTL EVASION (reassemble) detection
pedro.tedeschi at ...6753...
Fri Sep 20 07:54:03 EDT 2002
McCammon, thanks for you reply
My comments in snort.conf are these:
preprocessor stream4: detect_scans, disable_evasion_alerts, noalerts
The "disable_evasion_alerts" are there in snort.conf, but i'm still recieve evasion alerts.
I'm really need help, because my database are working full for this alerts.
----- Original Message -----
From: McCammon, Keith
To: Pedro Tedeschi ; snort-users at lists.sourceforge.net
Sent: Friday, September 20, 2002 11:45 AM
Subject: RE: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection
Read your comments in snort.conf:
disable_evasion_alerts - turn off the possibly noisy mitigation of overlapping sequences.
You can uncomment this in the stream4 options.
From: Pedro Tedeschi [mailto:pedro.tedeschi at ...6753...]
Sent: Friday, September 20, 2002 10:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] spp_stream4: TTL EVASION (reassemble) detection
Hi, whats means this rule?
"spp_stream4: TTL EVASION (reassemble) detection"
I didn't find this one in the rules path, and i'm recieve more than 56000 attacks about this rule ...
Is this rule are important? If not, i would like to know, how i can remove this rule ...
Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users