[Snort-users] stream4

Erek Adams erek at ...950...
Thu Apr 10 09:03:42 EDT 2003


On Thu, 10 Apr 2003, Steven Rudolph wrote:

> Is it possible to ignore hosts in the stream 4 plug-in.
> I have some load balancers that send out traffic that alerts very
> frequently on this.
> I really do not want to log this traffic.
> Here is an example alert:
>
> [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
> 04/10-11:46:11.071796 aaa.bbb.131.12:1050 -> aaa.bbb.135.123:80
> TCP TTL:62 TOS:0x0 ID:5451 IpLen:20 DgmLen:40 DF
> 1****R** Seq: 0x462F0BD0  Ack: 0x0  Win: 0x0  TcpLen: 20

There really isn't an 'ignore' directive for stream4.  You'll have to use
a BPF filter.  You can look at the BPF part of this [0], and for more info
see the tcpdump manpage [1].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://www.theadamsfamily.net/~erek/snort/ignore.txt
[1]	Tcpdump.org seems to be unreachable, so...
	http://www.fifi.org/cgi-bin/man2html/usr/share/man/man8/tcpdump.8.gz




More information about the Snort-users mailing list