Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Tcp errors by the dozen, but all false positives ?

From: Crusty Saint <saintcrusty () gmail com>
Date: Mon, 10 Jan 2011 16:53:31 +0100
Hi,

While reviewing the snort logs i've found an extensive amount of the
following alerts :

[*129:7:1] Limit on number of overlapping TCP packets reached
[Classification: Potentially Bad Traffic] [Priority: 2] <eth0> *

For the first one, i've played with setting the threshold to a value above
10 ( > 30, then back to 20 ). When at 30 there are virtually no more
notifications, when on 20 only on rare occassions As the default is 0 i
suspect this is a parameter prone to cause false positives. But as it is
related to IDS evasion i'm anxious yes or no to turn it off. It is my
understanding that retranmissions and/or duplication of packets could be a
cause for this alert to occur.



*[129:15:1] Reset outside window [Classification: Potentially Bad Traffic]
[Priority: 2] <eth0>*

As this is a seamingly complex event to happen by itself this worries me
most. This does seem to be possibly hardware related, In relation to the
first alter/notification above.



[*129:14:1] TCP Timestamp is missing [Classification: Potentially Bad
Traffic] [Priority: 2] <eth0>*

As this is a seamingly complex event to happen by itself this worries me
most. This does not seem to be possibly hardware related.



Thank you for your time and consideration,

Crusty

------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: