Snort mailing list archives
too many stream5_tcp alerts
From: carlopmart <carlopmart () gmail com>
Date: Wed, 16 Mar 2011 18:56:37 +0100
Hi all,
I have a problem with my strem5_tcp policy. I have deployed a snort
2.9.0.4 sensor on a management network on resides two stonegate
firewalls and one stonegate management center. Immedialty after snort is
up, a lot of errors are displayed:
03/14-23:54:55.602720 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:54:58.105021 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:54:59.376684 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:01.376577 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:02.900976 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:03.900766 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:06.900231 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:06.900264 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:09.414888 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:10.414745 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:12.939057 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:13.939108 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:15.938212 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:17.950416 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:19.465618 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:20.955753 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:22.977765 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:24.979543 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:25.976063 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:28.497646 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:29.505225 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:32.015094 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:33.015073 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:36.014742 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:36.014790 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:39.529009 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:39.529053 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:43.052674 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:43.052682 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:47.051340 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:47.051363 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:50.566954 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:50.567034 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:54.090381 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:54.090472 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:55:58.093992 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:55:58.094003 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:01.107685 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:01.107725 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:04.387497 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:05.387408 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:08.398691 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:08.398717 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:11.388473 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:12.425792 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:15.425487 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:16.425734 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:19.424430 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:19.424511 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:22.464564 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:23.463572 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
03/14-23:56:26.462722 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151
03/14-23:56:27.470190 [**] [129:12:1] stream5: TCP Small Segment
Threshold Exceeded [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711
192.168.34.3 is the stonegate management center, and firewalls are
192.168.34.5 and 192.168.34.6.
My stream5_tcp policy is configured like this:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
track_icmp no max_active_responses 2 min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
overlap_limit 10, small_segments 3 bytes 150 ignore_ports 3020 8905,
timeout 180, \
ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137
139 143 \
161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666
6667 6668 6669 \
7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
ports both 80 311 443 465 563 591 593 636 901 989 992 993 994 995
1220 1414 1830 2301 2381 2809 3128 3702 5250 6907 7001 7702 7777 7779 \
7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911
7912 7913 7914 7915 7916 \
7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180
8243 8280 8888 9090 9091 9443 9999 11371
I have added under small_segments stonegate's administration ports: 3020
and 8905 as a ignored ports, without luck ..
What i am doing wrong under stream5_tcp policy??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- too many stream5_tcp alerts carlopmart (Mar 16)