Snort mailing list archives
Re: spp_stream4
From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 09 Jul 2002 14:36:00 -0700
Yeah, Snort detects the packet being sent to the web proxy has a different checksum than the one being sent from the web proxy. Fragrouted traffic from a single source can look like this. Snort's saying "Ah ha! you have already sent this packet, and the one your are sending again is different!" You can look into the fragroute docs for information on why this is fun. So to turn this off you can add the "disable_evasion_alerts" argument to the stream4 preprocessor. preprocessor stream4: detect_scans, disable_evasion_alerts Hope this helps, -Joe M. -- Joe McAlerney Silicon Defense: IDS Solutions Jason Gauthier wrote:
I have started snort up, and am fine tuning my rules. I'm getting this message ALOT. It comes from the same system everytime. My transparent web proxy. I'm not really understanding what's going on. I'm guessing that this is the stream4 preprocessor and the message is coming up because it's transparently sending it to another box. My question then, since this is a "false positive", is what can I do about ignoring it? Thanks kindly, Jason ====================== Message: spp_stream4: TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute) detection ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_stream4 Jason Gauthier (Jul 09)
- Re: spp_stream4 Joe McAlerney (Jul 09)