[Snort-users] stream4 question

Merrill, Bill (CHS) Bill.Merrill at ...9817...
Thu Aug 7 07:08:37 EDT 2003


I have racked my brain, and cannot think of a way to filter the following
out. I am not a programmer, and editing the header file scared me a bit. 

Besides fixing the problem with the terminal itself, an old Unisys LT300,
can I actually filter the following with a rule somehow?

I am running Snort 2.0.1 on a RH9 sensor. I am using Snortcenter to manage
rules and ACID to display the information from the MySQL database.

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
08/07-08:48:46.256474 x.x.x.x:2667 -> x.x.x.x:23 TCP TTL:254 TOS:0x0 ID:24
IpLen:20 DgmLen:44
****P*S* Seq: 0x63  Ack: 0x0  Win: 0x572  TcpLen: 24
TCP Options (1) => MSS: 1394 

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
08/07-08:48:56.673113 x.x.x.x:2399 -> x.x.x.x:23 TCP TTL:254 TOS:0x0 ID:32
IpLen:20 DgmLen:44
****P*S* Seq: 0x63  Ack: 0x0  Win: 0x572  TcpLen: 24
TCP Options (1) => MSS: 1394 

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
08/07-08:48:56.730540 x.x.x.x:2667 -> x.x.x.x:23 TCP TTL:254 TOS:0x0 ID:33
IpLen:20 DgmLen:44
****P*S* Seq: 0x63  Ack: 0x0  Win: 0x572  TcpLen: 24
TCP Options (1) => MSS: 1394

Hopefully this is appropriate information to post to the list. I appreciate
any input you might have.

-bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030807/2a305285/attachment.html>


More information about the Snort-users mailing list