Snort mailing list archives
Can not stop T/TCP Detected alerts?
From: brett <brett () ekit-inc com>
Date: 08 Aug 2003 15:54:39 +1000
I am getting a heap of the alerts: [snort] (snort_decoder): T/TCP Detected. It seems to be triggered by the CC.NEW: field in the TCP options as below: Transmission Control Protocol, Src Port: 21776 (21776), Dst Port: smtp (25), Seq: 2549039317, Ack: 0, Len: 0 Source port: 21776 (21776) Destination port: smtp (25) Sequence number: 2549039317 Header length: 48 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 65535 Checksum: 0x5ae9 (correct) Options: (28 bytes) Maximum segment size: 1460 bytes NOP Window scale: 1 (multiply by 2) NOP NOP Time stamp: tsval 176589, tsecr 0 NOP NOP CC.NEW: 1784 I have un-commented the disable ttcp_alerts in snort.config and restarted snort but am still seeing the alerts? # Stop Alerts on T/TCP alerts # config disable_ttcp_alerts Any Suggestions? - Brett ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can not stop T/TCP Detected alerts? brett (Aug 07)