Snort mailing list archives

Re: [Snort-Users] Re: too many stream5_tcp alerts

From: carlopmart <carlopmart () gmail com>
Date: Fri, 18 Mar 2011 11:47:24 +0100

On 03/17/2011 04:12 PM, carlopmart wrote:

On 03/16/2011 08:57 PM, striker wrote:

I believe you have to increase the max_tcp value under stream5_global


I was wrong about mac_tcp, apologize for that. I just did some digging
but could find the answer to your question.

Thanks striker. But how can I adjust this parameter without
compromising Snort??


I think there is no way to avoid restarting snort, for the new changes
to be effective.

If you think all those alerts are false positives, you can write a
filter in threshold.conf to supress those alerts

suppress gen_id 129 , sig_id 12


Actually, are false positives because all alerts comes from secure hosts
but, in future??

Moreover, new alerts appears:

03/17-15:53:55.936522 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.936560 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.938810 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.940118 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.941173 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.942404 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.943911 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.945152 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.946402 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.947904 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.949154 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.950417 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.951660 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.953160 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.954396 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.955635 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.957393 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.958649 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.960155 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.961421 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80
03/17-15:53:55.962664 [**] [129:15:1] stream5: Reset outside window [**]
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
192.168.34.6:33422 -> 212.149.110.26:80

And anothers from frag3:

03/17-16:04:04.496355 [**] [123:13:1] frag3: Fragments smaller than
configured min_fragment_length [**] [Classification: Attempted Denial of
Service] [Priority: 2] {UDP} 193.29.206.1 -> 192.168.34.3

This is a dns query. Why this alert is fired??

All my problems are stream5 and frag3 related. is it possible to start
with a simple stream5 and frag3 configuration with a minimal security
from snort side??

Thanks.


Please any help??

On frag3 section I have reconfigured min_fragment_length with a 32 
value, but alerts continue. How can I debug stream5_tcp and frag3 errors 
to adjust them??

Thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 17)
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 18)
- <Possible follow-ups>
- Re: [Snort-Users] Re: too many stream5_tcp alerts carlopmart (Mar 17)