No subject

Thu Nov 23 16:36:19 EST 2017

# stream4: stateful inspection/stream reassembly for Snort
# Use in concert with the -z [all|est] command line switch to defeat
# stick/snot against TCP rules.  Also performs full TCP stream
# reassembly, stateful inspection of TCP streams, etc.  Can statefully
# detect various portscan types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8MB)
# options (options are comma delimited):
#   keepstats [machine] - keep session statistics, add "machine" to get them
#                         a flat format for machine reading
#   noinspect - turn off stateful inspection only
#   noalerts - turn off alerts from the stateful inspector
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes

preprocessor stream4 noalerts
                     ^^^^^^^^--- This should do the trick.


-----Original Message-----
From: snort-users-admin at
[mailto:snort-users-admin at]On Behalf Of Ralf
Sent: Friday, July 13, 2001 7:59 AM
To: Snort-users at
Subject: Re: [Snort-users] spp_stream4: EVASIVE RST detection

On Wed, Jul 11, 2001 at 09:50:32AM +0200, Ralf Hildebrandt wrote:
> OK, what is "spp_stream4: EVASIVE RST detection" ? And why is it
> cluttering my log?
> Between 18:16:55 and 09:44:11 I got 136 of these alerts. What exactly
> triggers it?

Or is there any way to disable that particular type of alert from the
stream4 preprocessor?

ralf.hildebrandt at ...821...                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77

Snort-users mailing list
Snort-users at
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list