[Snort-users] What is this alert??
wcyoung at ...12754...
Mon Mar 21 05:49:46 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
it usually has to deal with one of 2 things:
A hacker is trying to evade your IDS with funky resets (I'm pretty sure
RST is resets)
Or you have a program out there that is acting up/violating protocol
not a 100% sure since i've not seen that many in real life, but
something to go off of.
I would check out the dst IP as a safety precaution, see if there is
anything wierd running on it. Or see if it has shown up in your alert
logs previously (till now).
Marc Hering wrote:
| Hey All,
| I keep getting this same alert over and over and over (About 5k times
| already since Thursday)
| (spp_stream4) possible EVASIVE RST detection
| I can't seem to find any usefull info on it aside from that it is
| detecting a lot of RST requests...Is this a common alert that needs to
| be tweaked or am I looking at something more sinister?
Network Security Analyst
University at Buffalo
GPG Key: http://saxjazman9-security.blogspot.com/2005/01/gpg-key.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Snort-users