Snort mailing list archives

Re: Can't alert on most

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Mar 2014 07:25:31 -0500

On 3/3/2014 9:48 PM, Michael Wisniewski wrote:

...and there's some other alerts, but the TCP small segments are the ones that
dominate the log.  I can do a nmap scan from offsite and all I see are the above
alert; nothing about a portscan.

Does anybody know why I'm seeing this?  In the conf file, I have pretty much all
stock (except for the paths).  Is there something else that needs to be enabled
in order to see the proper alerts?


it really isn't about seeing "the proper alerts"... the small segments alerts 
are proper alerts... the question is how do you want to solve it... there are 
several ways... one way is to disable the rule by commenting it out in the 
preprocessor rules file... another way is to threshold the rule... but tuning 
your snort.conf's stream5_tcp small_segments settings or removing the 
small_segments settings portion of the config would probably be better... IMO, 
the former is the preferred with the latter and others being (extreme) last 
resort methods...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Can't alert on most Michael Wisniewski (Mar 03)
- Re: Can't alert on most waldo kitty (Mar 04)
  - Re: Can't alert on most Carlos G Mendioroz (Mar 04)
    - Re: Can't alert on most Michael Wisniewski (Mar 04)
    - Re: Can't alert on most waldo kitty (Mar 04)
    - Re: Can't alert on most Carlos G Mendioroz (Mar 05)
    - Re: Can't alert on most Michael Wisniewski (Mar 05)
    - Re: Can't alert on most Doug Burks (Mar 05)
    - Re: Can't alert on most Michael Wisniewski (Mar 05)
    - Re: Can't alert on most Gierczak, Stan (Mar 28)
    - Re: Can't alert on most waldo kitty (Mar 28)
    - Re: Can't alert on most waldo kitty (Mar 05)