[Snort-users] What is this alert??
taosecurity at ...11827...
Mon Mar 21 06:18:48 EST 2005
Marc Hering wrote:
> Hey All,
> I keep getting this same alert over and over and over (About 5k times already
> since Thursday)
> (spp_stream4) possible EVASIVE RST detection
> I can't seem to find any usefull info on it aside from that it is detecting a lot
> of RST requests...Is this a common alert that needs to be tweaked or am I
> looking at something more sinister?
I recommend collecting some sample full content data using Tcpdump.
If you're seeing tons of those alerts you'll be sure to capture
something involving the IPs generating them.
This is a good example of the importance of independently collecting
full content data (libpcap packet info) to complement alert data (IDS
You might also gain some insight by collecting session data with Argus
Since you're ready to find out more about specific events, you should
probably just jump straight to collecting sample full content data.
Start collecting session data now for future events which require
More information about the Snort-users