snort on a span/monitor port on cisco : false positives thru the roof ?

[Crusty Saint <saintcrusty () gmail com>]

Hi,

I've been looking into resulst for a snort 2.9.0.3 connected to a span port
on a switch. The traffice is between a load-balancer and a virtualised
server.

What i am seeing that disturbs me most is a LOT of TCP overlapping packet,
packets out of SPAWN window and other possible evasion-related
notifications.

[129:7:1] Limit on number of overlapping TCP packets reached
[Classification: Potentially Bad Traffic] [Priority: 2]
[129:4:1] TCP Timestamp is outside of PAWS window [Classification: Generic
Protocol Command Decode] [Priority: 3]

further there are also messages regarding normal packet being outside of
their window size.

Setting the threshold from 10 to 100 obviously reduced the number of
messages related to overlapping tcp packets ... but i'm curious ... after a
while the new threshold is reached again.

Now is my question

(1) if this could be indicative for traffic running across a span/monitor
port on a cisco switch
OR
(2) if this is normal when watching traffic to/from a virtualised server.


Can you please inform me on possible interference from my set-up regarding
these measurements ?


St. Crusty

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel