Snort mailing list archives

Previous By Date Next
Previous By Thread Next

spp_stream4 alerts "un-disable-able" ? :-)

From: Edwin Eefting <edwin () bit nl>
Date: Thu, 23 May 2002 18:01:49 +0200 (CEST)
Hi,

I can't seem to disable the new fragroute detection alerts in snort Version
1.9-dev (Build 147).

I just tried the latest cvs version, but I still get flooded with hunderds
of alerts per minute. (i'm have to sniff a data stream of approx.
4mbytes/s)

I get things like "(spp_stream4) possible EVASIVE RST detection"
and "(spp_stream4) Multiple Acked Packets (possible fragroute)" and many
more.

Do I just have to wait because this off course is the development version,
or is this a real bug? (or something that has been forgotten)

Here is the preprocessor part of my snort.conf:
#preprocessor defrag
preprocessor frag2

#edwin:
#preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream4: memcap 64000000 disable_evasion_alerts
preprocessor stream4_reassemble: noalerts 1 

#teveel:preprocessor unidecode: 80
#preprocessor unidecode: -unicode -cginull 80
#preprocessor http_decode: -unicode -cginull 80
# snort doesn't start anymore with -unicode and -cginull (errors)
preprocessor http_decode: 80

preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
#preprocessor portscan: $HOME_NET 4 30 portscan.log
#preprocessor portscan-ignorehosts: $DNS_SERVERS

preprocessor arpspoof


Thanks,
Edwin Eefting
-- 
                              __________________
Met vriendelijke groet,      /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: