Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort-decoder

From: John Hally <JHally () epnet com>
Date: Mon, 12 May 2003 09:51:44 -0400

Hi guys,

I'm getting pummeled by these alerts (23,000+ this weekend) which have to be
false positives, but I can't figure out a way to disable  it short of
shutting off the sensor.  Can anyone give me a little insight as to disable
this alert, or why I'm getting so many?:




#(9 - 66761) [2003-05-12 13:46:36] [snort/56]  (snort_decoder): T/TCP
Detected
IPv4: 204.169.143.149 -> xxx.xxx.xxx.xxx
      hlen=5 TOS=0 dlen=68 ID=45277 flags=0 offset=0 TTL=55 chksum=25195
TCP:  port=1620 -> dport: 80  flags=******S* seq=2260574771
      ack=2218756307 off=12 res=0 win=16384 urp=0 chksum=41174
      Options:
       #1 - MSS len=2 data=0200
       #2 - NOP len=0
       #3 - WS len=1 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=8 data=005739D200000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - CCNEW len=4 data=01175882
Payload: none


Thanks in advance.

John H.


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: