[Snort-users] What is this alert??

Richard Bejtlich taosecurity at ...11827...
Mon Mar 21 06:18:48 EST 2005


Marc Hering wrote:

> Hey All,
> I keep getting this same alert over and over and over (About 5k times already 
> since Thursday)
> 
> (spp_stream4) possible EVASIVE RST detection   
> 
> I can't seem to find any usefull info on it aside from that it is detecting a lot 
> of RST requests...Is this a common alert that needs to be tweaked or am I 
> looking at something more sinister?

Hello Marc,

I recommend collecting some sample full content data using Tcpdump. 
If you're seeing tons of those alerts you'll be sure to capture
something involving the IPs generating them.

This is a good example of the importance of independently collecting
full content data (libpcap packet info) to complement alert data (IDS
triggers).

You might also gain some insight by collecting session data with Argus
or SANCP.

Since you're ready to find out more about specific events, you should
probably just jump straight to collecting sample full content data. 
Start collecting session data now for future events which require
additional investigation.

Sincerely,

Richard
http://www.taosecurity.com




More information about the Snort-users mailing list