[Snort-users] What is this alert??

Wes Young wcyoung at ...12754...
Mon Mar 21 05:49:46 EST 2005

Hash: SHA1

it usually has to deal with one of 2 things:

A hacker is trying to evade your IDS with funky resets (I'm pretty sure
RST is resets)

Or you have a program out there that is acting up/violating protocol

not a 100% sure since i've not seen that many in real life, but
something to go off of.

I would check out the dst IP as a safety precaution, see if there is
anything wierd running on it. Or see if it has shown up in your alert
logs previously (till now).


Marc Hering wrote:
| Hey All,
| I keep getting this same alert over and over and over (About 5k times
| already since Thursday)
| (spp_stream4) possible EVASIVE RST detection
| I can't seem to find any usefull info on it aside from that it is
| detecting a lot of RST requests...Is this a common alert that needs to
| be tweaked or am I looking at something more sinister?
| Thanks!
| <M>

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
Version: GnuPG v1.2.6 (GNU/Linux)


More information about the Snort-users mailing list