Snort mailing list archives
Re: Very high amount of "TCP Small Segment Threshold Exceeded"
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 28 Feb 2012 15:53:54 +0000
The short answer (IMHO) is that the preprocessor default settings are wrong, or at any rate not set to real-world TCP traffic. I made three changes that stopped all of the TCP errors caused by SSH traffic. In "preprocessor frag3_engine", change "min_fragment_length 100" to "min_fragment_length 80". In "preprocessor stream5_tcp", remove "detect_anomalies". In "preprocessor ssh", remove "enable_protomismatch". Part of the issue I have is there is a TCP fragment-reassembling firewall that also deals with anomalous TCP behavior, and the traffic it produces isn't always pleasing to Snort. Also, PuTTY will (in my experience) always produce the protocol mismatch warnings from the SSH preprocessor. I will continue to tune these settings but this is what I am using now, and so far it has removed all the TCP traffic FPs I was getting. You might want to set these one at a time and monitor the result before changing any of the others. Try changing just the "min_fragment_length" first. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Giacomo [mailto:lib.giacomo () gmail com] Sent: Monday, February 27, 2012 01:40 To: snort-users () lists sourceforge net Subject: [Snort-users] Very high amount of "TCP Small Segment Threshold Exceeded" Hi there, I recently started using Snort. After enabling the (default) preprocessor configuration I started receiving very large amounts of events regarding stream5. Since it is a server that is not being used for anything I assume this event is generated by my SSH connection. A couple of topics have discussed this but none come with a very clear answer why this is occurring and how you can solve it. The only two suggestions I found was to change the max_tcp value in stream5_global or increase the memcap. But both of these suggestions don't work. So I am wondering if any one of you has an idea why this is occurring and what I can do about it. Thanks. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Very high amount of "TCP Small Segment Threshold Exceeded" Giacomo (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Castle, Shane (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" waldo kitty (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Russ Combs (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Giacomo (Feb 29)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Russ Combs (Feb 29)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" waldo kitty (Feb 29)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Giacomo (Mar 03)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Russ Combs (Feb 28)