Snort mailing list archives
Re: snort on a span/monitor port on cisco : false positives thru the roof ?
From: Crusty Saint <saintcrusty () gmail com>
Date: Wed, 26 Jan 2011 16:43:12 +0100
had bad span port positioning reconfigured, fixed *blush* 2011/1/24 Crusty Saint <saintcrusty () gmail com>
Hi, I've been looking into resulst for a snort 2.9.0.3 connected to a span port on a switch. The traffice is between a load-balancer and a virtualised server. What i am seeing that disturbs me most is a LOT of TCP overlapping packet, packets out of SPAWN window and other possible evasion-related notifications. [129:7:1] Limit on number of overlapping TCP packets reached [Classification: Potentially Bad Traffic] [Priority: 2] [129:4:1] TCP Timestamp is outside of PAWS window [Classification: Generic Protocol Command Decode] [Priority: 3] further there are also messages regarding normal packet being outside of their window size. Setting the threshold from 10 to 100 obviously reduced the number of messages related to overlapping tcp packets ... but i'm curious ... after a while the new threshold is reached again. Now is my question (1) if this could be indicative for traffic running across a span/monitor port on a cisco switch OR (2) if this is normal when watching traffic to/from a virtualised server. Can you please inform me on possible interference from my set-up regarding these measurements ? St. Crusty
-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- snort on a span/monitor port on cisco : false positives thru the roof ? Crusty Saint (Jan 24)
- Re: snort on a span/monitor port on cisco : false positives thru the roof ? Crusty Saint (Jan 26)