Snort mailing list archives
Tcp errors by the dozen, but all false positives ?
From: Crusty Saint <saintcrusty () gmail com>
Date: Mon, 10 Jan 2011 16:53:31 +0100
Hi, While reviewing the snort logs i've found an extensive amount of the following alerts : [*129:7:1] Limit on number of overlapping TCP packets reached [Classification: Potentially Bad Traffic] [Priority: 2] <eth0> * For the first one, i've played with setting the threshold to a value above 10 ( > 30, then back to 20 ). When at 30 there are virtually no more notifications, when on 20 only on rare occassions As the default is 0 i suspect this is a parameter prone to cause false positives. But as it is related to IDS evasion i'm anxious yes or no to turn it off. It is my understanding that retranmissions and/or duplication of packets could be a cause for this alert to occur. *[129:15:1] Reset outside window [Classification: Potentially Bad Traffic] [Priority: 2] <eth0>* As this is a seamingly complex event to happen by itself this worries me most. This does seem to be possibly hardware related, In relation to the first alter/notification above. [*129:14:1] TCP Timestamp is missing [Classification: Potentially Bad Traffic] [Priority: 2] <eth0>* As this is a seamingly complex event to happen by itself this worries me most. This does not seem to be possibly hardware related. Thank you for your time and consideration, Crusty
------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tcp errors by the dozen, but all false positives ? Crusty Saint (Jan 10)