[Snort-users] STEALTH ACTIVITY (unknown) detection
cc at ...9707...
Thu Jul 31 18:33:04 EDT 2003
Scotts Email wrote:
> i pulled this up from the snort faq,
Section 1.9. ie. http://www.snort.org/docs/faq.html#1.9
> maybe your getting some noise ??
a lot seemed more like the right word.
> IDSes are vulnerable to noise generators like "Stick" and
Nice name for an app. :)
> It is now possible to defeat these kinds of noise generators with
> the stream4 preprocessor. Even without the stream4 preprocessor
> enabled, snort will weather the alert storm without falling over
> or losing a lot of alerts due to its highly optimized nature.
> Using tools that generate huge amounts of alerts will warn a good
> analyist that someone is trying to sneak by their defenses.
I read that part and am a bit puzzled as to which stream4 preprocessor
argument I'm supposed to use. Basically, I have detect_scans and
disable_evasion_alerts. Are there any others that I should be
** All information contained in this email is strictly **
** confidential and may be used by the intended receipient **
** only. **
More information about the Snort-users