Snort mailing list archives
Stream preprocessor small segment port suppression
From: Andrea Venturoli <ml () netfence it>
Date: Thu, 21 Jul 2016 19:14:53 +0200
Hello. I've got another question about Stream preprocessor... small_segments features an "ignore_ports" options; so, for example, I could put the following in my config: small_segments 5 bytes 100 ignore_ports 23 The idea is that the telnet protocol will often use small packets, so I'll just have snort live with it and don't overwhelm me with such alerts. However, I found out that only the destination port will be taken into account, so packets traveling from client to server will get ignored, but packets flying from server to client (random port here!) will still trigger the alert. Of course "telnet" is just an example, I'm also seeing this with SSH, NFS, VPNs, etc... I'm wondering why only the destination port is taken into account, since I can't see the rationale behind this choice. Or maybe I'm doing something wrong, missing some other option, forgetting some other thing? bye & Thanks av. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Stream preprocessor small segment port suppression Andrea Venturoli (Jul 21)
- Re: Stream preprocessor small segment port suppression Russ (Jul 21)