[Snort-users] spp_stream4 Stealth Activity detect

Esler, Joel Contractor EslerJ at ...8772...
Tue Jun 17 13:43:08 EDT 2003

You may consider taking the "detect_state_problems" out of the stream4
preprocessor load.  This may help to reduce this false positive.


-----Original Message-----
From: John Hally [mailto:JHally at ...5637...] 
Sent: Tuesday, June 17, 2003 4:05 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] spp_stream4 Stealth Activity detect

Hello All,

I'm constantly getting alerts (40-100 per day) from the stream4 preprocessor
for stealth activity.  When I look at the packet trace, it looks benign (web
traffic), except for the Ack/Push/Reset flags being set.  My understanding
of the Stealth alert is that there's no matching state info in the state
tables that snort keeps.  Is it possible that the state tables are
'flushing' too soon, or I just don't have enough memory for the type of
traffic I'm monitoring?  Am I way off?

Thanks in Advance,

John H.

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list