erek at ...950...
Thu Apr 10 09:03:42 EDT 2003
On Thu, 10 Apr 2003, Steven Rudolph wrote:
> Is it possible to ignore hosts in the stream 4 plug-in.
> I have some load balancers that send out traffic that alerts very
> frequently on this.
> I really do not want to log this traffic.
> Here is an example alert:
> [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
> 04/10-11:46:11.071796 aaa.bbb.131.12:1050 -> aaa.bbb.135.123:80
> TCP TTL:62 TOS:0x0 ID:5451 IpLen:20 DgmLen:40 DF
> 1****R** Seq: 0x462F0BD0 Ack: 0x0 Win: 0x0 TcpLen: 20
There really isn't an 'ignore' directive for stream4. You'll have to use
a BPF filter. You can look at the BPF part of this , and for more info
see the tcpdump manpage .
"When things get weird, the weird turn pro." H.S. Thompson
 Tcpdump.org seems to be unreachable, so...
More information about the Snort-users