too many Alerts (129:12:0)---more than 7000 alerts /per day

[Jun Wan <junwei_wan () hotmail com>]

Happy 2011 (almost) to all,

My Snort 2.8.6.0 is running on Ubuntu 10.04 (32bit) with Snort Report 1.3.1.

There were 7000~10000 alerts (129:12:0) everyday, it slowed down Snort Report to load data, so I did the following in 
threshold.conf and tried to reduce the number of the alerts:
threshold gen_id 129, sig_id 12, type limit, track by_src, count 1, seconds 60
 
Not much improvement (still 7000 + alerts (129:12:0) perday), then I did the follwing in Snort.conf:
From:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
overlap_limit 10, small_segments 3 bytes 100, timeout 180,
To:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
overlap_limit 20, small_segments 6 bytes 250, timeout 180,
 
But Snort is still producing 7000+ alerts (129:12:0) everyday, not sure what I did above is a right way to reduce the 
number of these alerts.
 
Any suggestion to reduce the number of these alerts would be much appreciated. 
 
Thanks
Regards
John
 
 
 
 
 

 

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users