Snort mailing list archives
spp_stream4 alerts "un-disable-able" ? :-)
From: Edwin Eefting <edwin () bit nl>
Date: Thu, 23 May 2002 18:01:49 +0200 (CEST)
Hi, I can't seem to disable the new fragroute detection alerts in snort Version 1.9-dev (Build 147). I just tried the latest cvs version, but I still get flooded with hunderds of alerts per minute. (i'm have to sniff a data stream of approx. 4mbytes/s) I get things like "(spp_stream4) possible EVASIVE RST detection" and "(spp_stream4) Multiple Acked Packets (possible fragroute)" and many more. Do I just have to wait because this off course is the development version, or is this a real bug? (or something that has been forgotten) Here is the preprocessor part of my snort.conf: #preprocessor defrag preprocessor frag2 #edwin: #preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 preprocessor stream4: memcap 64000000 disable_evasion_alerts preprocessor stream4_reassemble: noalerts 1 #teveel:preprocessor unidecode: 80 #preprocessor unidecode: -unicode -cginull 80 #preprocessor http_decode: -unicode -cginull 80 # snort doesn't start anymore with -unicode and -cginull (errors) preprocessor http_decode: 80 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode #preprocessor portscan: $HOME_NET 4 30 portscan.log #preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor arpspoof Thanks, Edwin Eefting -- __________________ Met vriendelijke groet, /\ ___/ Edwin Eefting /- \ _/ Business Internet Trends BV /--- \/ __________________ _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_stream4 alerts "un-disable-able" ? :-) Edwin Eefting (May 23)
- Re: spp_stream4 alerts "un-disable-able" ? :-) Chris Green (May 23)