Snort mailing list archives
Re: perfmonitor pre-processor issues
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 30 Sep 2010 17:48:20 -0400
Is there anyway you can provide a snort.conf and a pcap of your network traffic to me privately? Something doesn't sound right. J On Thursday, September 30, 2010, Daniel Shepherd <shepdelacreme () gmail com> wrote:
I am currently running 2.9.0 and am having a lot of preprocessor issues. Alerts for http, stream5, and frag3 needed to be turned off completely because the number of alerts was crushing the machine. The largest offender by far was stream5 with alerts about excessive fragment and "timestamp outside PAWS window". The frag3 engine was giving similar fragmentation alerts. With alerting turned off for those three pp’s I’m down to the smtp and dcerpc2 pp’s sending excessive false positive alerts. smtp – attempted command buffer overflow: more than 512 chars smtp – attempted header name buffer overflow: ### chars before colon I call the two above false positive because when looking at the provided payload it appears that the preprocessor is alerting on data in the body of the smtp message. I thought that putting the ignore_data parameter in snort.conf for the smtp pp would stop this but it hasn’t. dcerpc2 – Connection-oriented DCE/RPC – Invalid major version: ### This is supposed to alert when a dcerpc connection is made and the major version is anything but 5 according to the documentation. When I download the payload in pcap format and view it with Wireshark the major version is always correctly identified as 5 though. I’m not sure where the problem lies, traffic, hardware, config, etc but has anyone dealt with this before? I’d rather not turn off the pp alerts completely but that is kind of where I’m at…is that what most people do with the preprocessors?
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- perfmonitor pre-processor issues Daniel Shepherd (Sep 30)
- Re: perfmonitor pre-processor issues Joel Esler (Sep 30)
- Re: perfmonitor pre-processor issues Daniel Shepherd (Sep 30)
- Re: perfmonitor pre-processor issues Joel Esler (Sep 30)
- Re: perfmonitor pre-processor issues Daniel Shepherd (Sep 30)
- Re: perfmonitor pre-processor issues Joel Esler (Sep 30)