Snort mailing list archives
Re: stream4 is alerting from my own MySQL Box???
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 8 Oct 2002 09:21:48 -0700 (PDT)
On 8 Oct 2002, Jeff Ramsey wrote:
I keep getting the following alert from my SQL server:
[..snip...]
1 - 27 2002-10-07 20:27:31 spp_stream4: possible EVASIVE RST detection
[...snip...]
If I comment out the stream4 parts of snort.conf, these messages stop. I want the stream4 part so I can check for port scanning. How can I get snort to ignore these packets from my sql server?
Check the .conf file. :) It's listed in there. # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. And just FYI "A RST packet for a session came in and its sequence number was either outside of the window or below the last ack received from the other side of the connection." That's from http://marc.theaimsgroup.com/?l=snort-devel&m=99408150913864&w=2 Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 is alerting from my own MySQL Box??? Jeff Ramsey (Oct 08)
- Re: stream4 is alerting from my own MySQL Box??? Erek Adams (Oct 08)