Snort mailing list archives
Re: Anyone else seeing lots of 129 20 this am?
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 3 Sep 2019 20:32:09 +0000
We didn't update the version of Snort you all are using. But we did update the preprocessor.rules file. So, if you are getting alerts now, Snort may have been generating them all along, and the preprocessor file was never able to generate a named alert, as Snort didn't know what to name it. If you want to disable this check, it's part of the stream5 preprocessor configuration with the "detect anomalies" configuration line. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com On 9/3/19, 4:02 PM, "Brian Cole" <cole () echoworx com> wrote: I can provide a little more information here. As far as I can tell my installation of PulledPork *is* configured to update the preprocessor rules, but it seems to have skipped them for some reason. So I manually untarred the Snort rules tarball it downloaded, found the preprocessor.rules file and copied it to my /etc/snort folder where it needed to be, and then restarted Snort. I manually looked at the file and it is MUCH large than the one I had previously. While that may have fixed that configuration issue, I have been watching my Snort alert log and I am still seeing TONS of 129:20:1 alerts still, so the original problem remains... :-( [129:20:1] TCP session without 3-way handshake [**] [Classification: Potentially Bad Traffic] [Priority: 2] Something caused Snort to get real noisy for that issue on August 31st. This issue is occurring on multiple Snort servers I manage in different countries. ...brian
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Anyone else seeing lots of 129 20 this am?, (continued)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Gordon Wallum via Snort-users (Sep 03)