Snort mailing list archives

Re: [Snort-Users] Re: too many stream5_tcp alerts

From: carlopmart <carlopmart () gmail com>
Date: Thu, 17 Mar 2011 16:12:45 +0100

On 03/16/2011 08:57 PM, striker wrote:

I believe you have to increase the max_tcp value under stream5_global


I was wrong about mac_tcp, apologize for that. I just did some digging
but could find the answer to your question.

Thanks striker. But how can I adjust this parameter without compromising Snort??


I think there is no way to avoid restarting snort, for the new changes
to be effective.

If you think all those alerts are false positives, you can write a
filter in threshold.conf to supress those alerts

suppress gen_id 129 , sig_id 12


Actually, are false positives because all alerts comes from secure hosts 
but, in future??

Moreover, new alerts appears:

03/17-15:53:55.936522  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.936560  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.938810  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.940118  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.941173  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.942404  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.943911  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.945152  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.946402  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.947904  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.949154  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.950417  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.951660  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.953160  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.954396  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.955635  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.957393  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.958649  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.960155  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.961421  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.962664  [**] [129:15:1] stream5: Reset outside window 
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
192.168.34.6:33422 -> 212.149.110.26:80

And anothers from frag3:

03/17-16:04:04.496355  [**] [123:13:1] frag3: Fragments smaller than 
configured min_fragment_length [**] [Classification: Attempted Denial of 
Service] [Priority: 2] {UDP} 193.29.206.1 -> 192.168.34.3

This is a dns query. Why this alert is fired??

All my problems are stream5 and frag3 related. is it possible to start 
with a simple stream5 and frag3 configuration with a minimal security 
from snort side??

Thanks.
-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 17)
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 18)
- <Possible follow-ups>
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 17)