Re: too many Alerts (129:12:0)---more than 7000 alerts /per day

[James Lay <jlay () slave-tothe-box net>]

Not much improvement (still 7000 + alerts (129:12:0) perday), then I did the
follwing in Snort.conf:
From:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
overlap_limit 10, small_segments 3 bytes 100, timeout 180,
To:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
overlap_limit 20, small_segments 6 bytes 250, timeout 180,
 
But Snort is still producing 7000+ alerts (129:12:0) everyday, not sure what
I did above is a right way to reduce the number of these alerts.
 


John,

Since I'm guessing these aren't relevant to you, you can use your threshold
to ignore it.  In your threshold file:

suppress gen_id 129, sig_id 12

That should stop you from seeing it altogether.

James


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users