Snort mailing list archives
Re: [Snort-Users] Re: too many stream5_tcp alerts
From: carlopmart <carlopmart () gmail com>
Date: Thu, 17 Mar 2011 16:12:45 +0100
On 03/16/2011 08:57 PM, striker wrote:
I believe you have to increase the max_tcp value under stream5_globalI was wrong about mac_tcp, apologize for that. I just did some digging but could find the answer to your question.Thanks striker. But how can I adjust this parameter without compromising Snort??I think there is no way to avoid restarting snort, for the new changes to be effective. If you think all those alerts are false positives, you can write a filter in threshold.conf to supress those alerts suppress gen_id 129 , sig_id 12
Actually, are false positives because all alerts comes from secure hosts but, in future?? Moreover, new alerts appears: 03/17-15:53:55.936522 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.936560 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.938810 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.940118 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.941173 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.942404 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.943911 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.945152 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.946402 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.947904 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.949154 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.950417 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.951660 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.953160 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.954396 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.955635 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.957393 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.958649 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.960155 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.961421 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 03/17-15:53:55.962664 [**] [129:15:1] stream5: Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.6:33422 -> 212.149.110.26:80 And anothers from frag3: 03/17-16:04:04.496355 [**] [123:13:1] frag3: Fragments smaller than configured min_fragment_length [**] [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 193.29.206.1 -> 192.168.34.3 This is a dns query. Why this alert is fired?? All my problems are stream5 and frag3 related. is it possible to start with a simple stream5 and frag3 configuration with a minimal security from snort side?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 17)
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 18)
- <Possible follow-ups>
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 17)