Snort mailing list archives
Re: Anyone else seeing lots of 129 20 this am?
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 31 Aug 2019 02:49:32 +0000
Maybe it was just added to the preprocessor.rules then? That makes sense. Sent from my iPhone
On Aug 30, 2019, at 16:30, James Lay via Snort-users <snort-users () lists snort org> wrote: So judging by the lack of sid 20 in my gen-msg.map: <2019-08-30 14_18_14-ids.png> I'm betting this is a new-ish stream5 rule? I don't have 120:18 either...thanks Joel. JamesOn 2019-08-30 13:55, Joel Esler (jesler) via Snort-users wrote: We don’t make changes to preprocess it’s in a rule update. It’s possible that this alert may not have been included in the past and we just introduced it. That’s a possibility. But we didn’t change any code with this release. Sent from my iPhoneOn Aug 30, 2019, at 15:42, Daniel Rieille <dan.rieille () gmail com> wrote:That's what we did. We got more than 250k of them today. Sguil server died. We had to delete those 250k alerts before being able to restart it successfully... Le ven. 30 août 2019 à 21:32, Joel Esler (jesler) via Snort-users <snort-users () lists snort org> a écrit :As you all know, however, that is a preprocessor alert. It may be as simple as shutting that preprocessor rule off? On 8/30/19, 2:17 PM, "Snort-users on behalf of Michael Steele" <snort-users-bounces () lists snort org on behalf of michaels () winsnort com> wrote: I noticed that too on the last Snort update. Getting a LOT more alerts. I also updated the rules at the same time and never went back to the old rules to see if that was where the change came in? WINSNORT.com Management Team Member -- ******************************************************** * Since 2002 ~~ Visit http://www.winsnort.com * ~~ FREE Windows installation Tutorials ~~ * ~~ FREE Support Forums ~~ * Snort: Open Source Network IDS - http://www.snort.org ******************************************************** -----Original Message----- From: Snort-users <snort-users-bounces () lists snort org> On Behalf Of James Lay via Snort-users Sent: Friday, August 30, 2019 11:26 AM To: Joel Esler (jesler) <jesler () cisco com> Cc: Snort <snort-users () lists snort org> Subject: Re: [Snort-users] Anyone else seeing lots of 129 20 this am? Something as in snort ;) Same traffic, a LOT more alerts right after updates.On 2019-08-30 09:23, Joel Esler (jesler) wrote: When you say "something changed", do you mean "Snort"changed. Or"attacker behavior" may be changing?On Aug 30, 2019, at 8:13 AM, James Lay via Snort-users <snort-users () lists snort org> wrote: Yea something changed....I run ssh on a non-standard portand now I'mseeing: [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP serverresponse beforeclient request after updating rules this AM: Aug 30 01:10:22 snort[31692]: Decoding Ethernet Aug 3001:17:53snort[31692]: [120:18:3] (http_inspect) PROTOCOL-OTHER HTTPserverresponse before client request that http_inspect hit rule is the first time I've seen thatin mylogs....ever 😉 James On Fri, 2019-08-30 at 06:05 -0600, James Lay viaSnort-users wrote:Seeing massive amounts of [129:20:1] TCP session without3-wayhandshake this morning....seems to be firing off on RSTpackets.James <Screenshot from 2019-08-30 06-05-03.png> _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org [1] to stay current onall thelatest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on allthe latestSnort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquetteLinks: ------ [1] http://blog.snort.org/_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Anyone else seeing lots of 129 20 this am?, (continued)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Michael Steele (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)