Snort mailing list archives
snort-decoder
From: John Hally <JHally () epnet com>
Date: Mon, 12 May 2003 09:51:44 -0400
Hi guys, I'm getting pummeled by these alerts (23,000+ this weekend) which have to be false positives, but I can't figure out a way to disable it short of shutting off the sensor. Can anyone give me a little insight as to disable this alert, or why I'm getting so many?: #(9 - 66761) [2003-05-12 13:46:36] [snort/56] (snort_decoder): T/TCP Detected IPv4: 204.169.143.149 -> xxx.xxx.xxx.xxx hlen=5 TOS=0 dlen=68 ID=45277 flags=0 offset=0 TTL=55 chksum=25195 TCP: port=1620 -> dport: 80 flags=******S* seq=2260574771 ack=2218756307 off=12 res=0 win=16384 urp=0 chksum=41174 Options: #1 - MSS len=2 data=0200 #2 - NOP len=0 #3 - WS len=1 data=00 #4 - NOP len=0 #5 - NOP len=0 #6 - TS len=8 data=005739D200000000 #7 - NOP len=0 #8 - NOP len=0 #9 - CCNEW len=4 data=01175882 Payload: none Thanks in advance. John H. ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-decoder John Hally (May 09)
- <Possible follow-ups>
- snort-decoder John Hally (May 12)
- Re: snort-decoder Matt Kettler (May 12)