Re: Strange Alerts

[Artur Bittencourt <artur () via-rs net>]

Hi there,

        I have the same situation here. After I´ve upgraded to Snort 2.0.0 
I´ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP 
Detected" on my e-mail server. How do I turn this rule off ?

Thank you for your attention,

Artur



At 10:31 23/4/2003 -0500, you wrote:

> Brett.Gillett () tsx com wrote asking:
>
> >I have a question regarding alerts that we started to receive once we
> >upgraded to Snort 2.0, it seems that all of our sensors started generating
> >T/TCP Detected alerts
>
> T/TCP stands for "Transaction TCP", and is a way of dispensing with the
> customary three-way handshake used to initiate a TCP exchange over the
> network.  Do a Google on "t/tcp" and you'll find out lots about it, but
> here's a link to get started:
>
>   http://ttcplinux.sourceforge.net/
>
> I grepped the source IP in my webserver logs and have so far found that
> these packets are commonly associated with "normal" sessions involving
> Microsoft IE clients.  Are you hosting any websites?
>
> Best regards,
>
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Artur Bittencourt
PROCERGS - Cia. de Processamento de Dados do Estado do RGS
Divisão de Telecomunicações
CCNA Certified
Tel: +55 51 32103138  Fax: +55 51 32103159
Porto Alegre - RS - Brasil