Snort mailing list archives
too many Alerts (129:12:0)---more than 7000 alerts /per day
From: Jun Wan <junwei_wan () hotmail com>
Date: Thu, 30 Dec 2010 07:07:39 +0000
Happy 2011 (almost) to all, My Snort 2.8.6.0 is running on Ubuntu 10.04 (32bit) with Snort Report 1.3.1. There were 7000~10000 alerts (129:12:0) everyday, it slowed down Snort Report to load data, so I did the following in threshold.conf and tried to reduce the number of the alerts: threshold gen_id 129, sig_id 12, type limit, track by_src, count 1, seconds 60 Not much improvement (still 7000 + alerts (129:12:0) perday), then I did the follwing in Snort.conf: From: preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 100, timeout 180, To: preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 20, small_segments 6 bytes 250, timeout 180, But Snort is still producing 7000+ alerts (129:12:0) everyday, not sure what I did above is a right way to reduce the number of these alerts. Any suggestion to reduce the number of these alerts would be much appreciated. Thanks Regards John
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- too many Alerts (129:12:0)---more than 7000 alerts /per day Jun Wan (Dec 29)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day James Lay (Dec 30)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day Jun Wan (Dec 31)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day Matt Watchinski (Dec 30)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day Jun Wan (Dec 31)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day James Lay (Dec 30)