Snort mailing list archives
Re: Anyone else seeing lots of 129 20 this am?
From: Daniel Rieille via Snort-users <snort-users () lists snort org>
Date: Fri, 30 Aug 2019 21:42:35 +0200
That's what we did. We got more than 250k of them today. Sguil server died. We had to delete those 250k alerts before being able to restart it successfully... Le ven. 30 août 2019 à 21:32, Joel Esler (jesler) via Snort-users < snort-users () lists snort org> a écrit :
As you all know, however, that is a preprocessor alert. It may be as
simple as shutting that preprocessor rule off?
On 8/30/19, 2:17 PM, "Snort-users on behalf of Michael Steele" <
snort-users-bounces () lists snort org on behalf of michaels () winsnort com>
wrote:
I noticed that too on the last Snort update. Getting a LOT more
alerts. I also updated the rules at the same time and never went back to
the old rules to see if that was where the change came in?
WINSNORT.com Management Team Member
--
********************************************************
* Since 2002 ~~ Visit http://www.winsnort.com
* ~~ FREE Windows installation Tutorials ~~
* ~~ FREE Support Forums ~~
* Snort: Open Source Network IDS - http://www.snort.org
********************************************************
-----Original Message-----
From: Snort-users <snort-users-bounces () lists snort org> On Behalf Of
James Lay via Snort-users
Sent: Friday, August 30, 2019 11:26 AM
To: Joel Esler (jesler) <jesler () cisco com>
Cc: Snort <snort-users () lists snort org>
Subject: Re: [Snort-users] Anyone else seeing lots of 129 20 this am?
Something as in snort ;) Same traffic, a LOT more alerts right after
updates.
On 2019-08-30 09:23, Joel Esler (jesler) wrote:
> When you say "something changed", do you mean "Snort" changed. Or
> "attacker behavior" may be changing?
>
>> On Aug 30, 2019, at 8:13 AM, James Lay via Snort-users
>> <snort-users () lists snort org> wrote:
>>
>> Yea something changed....I run ssh on a non-standard port and now
I'm
>> seeing:
>>
>> [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server response
before
>> client request
>>
>> after updating rules this AM:
>>
>> Aug 30 01:10:22 snort[31692]: Decoding Ethernet Aug 30 01:17:53
>> snort[31692]: [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server
>> response before client request
>>
>> that http_inspect hit rule is the first time I've seen that in my
>> logs....ever 😉
>>
>> James
>>
>> On Fri, 2019-08-30 at 06:05 -0600, James Lay via Snort-users wrote:
>>
>>> Seeing massive amounts of [129:20:1] TCP session without 3-way
>>> handshake this morning....seems to be firing off on RST packets.
>>>
>>> James
>>>
>>> <Screenshot from 2019-08-30 06-05-03.png>
>>>
>>> _______________________________________________
>>>
>>> Snort-users mailing list
>>>
>>> Snort-users () lists snort org
>>>
>>> Go to this URL to change user options or unsubscribe:
>>>
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>> To unsubscribe, send an email to:
>>>
>>> snort-users-leave () lists snort org
>>>
>>> Please visit http://blog.snort.org [1] to stay current on all the
>>> latest Snort news!
>>>
>>> Please follow these rules:
>>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users () lists snort org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> To unsubscribe, send an email to:
>> snort-users-leave () lists snort org
>>
>> Please visit http://blog.snort.org to stay current on all the
latest
>> Snort news!
>>
>> Please follow these rules:
>> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
> Links:
> ------
> [1] http://blog.snort.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Anyone else seeing lots of 129 20 this am?, (continued)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Michael Steele (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)