Hi, for about 4 months now I have been running snort. I use the Windows version of snort. Periodicaly I check my alert.ids to look for potential atempts to comprimize my computer. I have noticed that the EVASIVE RST alert is generated quite frequently and am sure it is not indicating any break in, since as soon as I log into a few chat servers I imediatly recieve this alert.
It is becomeing very anoying now. So I have done some google searching. I discovered that the preprocessor stream4 is responcible for this alert, furthermore the option noalerts can turn this alert off. I am led to believe that stream4 plays a major role in the functionality of snort, and am fearfull that noalerts would not be a wize choice. Instead I would only like to disable the EVASIVE RST alert but keep the rest.
I would still like to know when i have a out-of-window sequence and other alerts, but spasificaly I would like to soly eliminate EVASIVE RST.
I found a post asking more or less the same question I am asking:
The post seems to be causeing a great debait on how to actualy turn off evasive rst. Can someone please guide me in the right direction. Thank you.
currently my stream4 config is as follows:
preprocessor stream4: detect_scans disable_evasion_alerts