OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter.VEpandora.be
Date: Wed Jun 05 2002 - 08:03:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,
     
    after installing 1.8.7 beta 5, I noticed an increase of snort loggings, most of them related to fragroute/stream4 preprocessor
    some examples :
    [**] [111:2:1]  <eth1> spp_stream4: possible EVASIVE RST detection [**]
    06/05-13:56:58.612924 0:4:4D:31:93:85 -> 0:90:27:2E:CB:75 type:0x800 len:0x3C
    195.121.244.219:80 -> w.x.y.z:46735 TCP TTL:53 TOS:0x0 ID:47804 IpLen:20 DgmLen:40 DF
    ***A*R** Seq: 0x8E04E7C9  Ack: 0x2AC490DE  Win: 0x2238  TcpLen: 20
     
    [**] [111:18:1]  <eth1> spp_stream4: Multiple Acked Packets (possible fragroute) [**]
    06/05-13:56:59.073985 0:4:4D:31:93:85 -> 0:90:27:2E:CB:75 type:0x800 len:0x5EA
    212.190.122.49:1941 -> w.x.y.z:25 TCP TTL:114 TOS:0x0 ID:19372 IpLen:20 DgmLen:1500 DF
    ***A**** Seq: 0x43AF6AC0  Ack: 0xA341D3F0  Win: 0x2074  TcpLen: 20
    -> I'm pretty sure these are false warnings...
     
     
    I took my snort conf file from 1.8.6 and I'm using it with 1.8.7.  Did I miss some settings ?  How can I finetune this ?
     
    thanks


    Best Regards,

    Peter
    +,Meƭz*'}.ݹȧ-zi^'\&i){Jz+ɚXXJz+b,y+hQZب+{.n+ilqzlX)ߣ'nJz+b֫ri0rܢoyثayb