Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stream5

From: Nicholas Horton <fivetenets () me com>
Date: Sat, 25 Aug 2012 16:32:15 -0400
Thanks.  I lot of the alerts were port 445.   I decided to suppress that alert so i can look at some other alerts. I 
plan on coming back to it if i can get the alerts to settle down.  I'm having issues with a couple stream5 rules.

Thanks again,
Nick

On Aug 23, 2012, at 9:28 PM, ARAI Shun-ichi <hermes () ceres dti ne jp> wrote:


In <7ED45A0B-7F8F-41C3-AE55-5CF703460DB7 () me com>;
  Nicholas Horton <fivetenets () me com> wrote
  as Subject "Re: [Snort-users] Stream5":


I tried removing detect_anomalies and setting the small_segments value to 0 and it still pops up repeatedly.

Any more ideas why the small segment stream5 pp is getting triggered?


How is to add port number into "ports" port list?
(If you gets alerts for specific port(s).)

Or if you are assured that the alerts means no security risk, you can
suppress alert message.

For example, write local rules like:
suppress gen_id 129, sig_id 12, track by_dst, ip XX.XX.XX.XX
suppress gen_id 129, sig_id 12, track by_src, ip XX.XX.XX.XX

BTW, I am using Snort for Linux and Widows PC (XP SP3).
On Win XP (with wireless network), device sometimes hangs up after
small segment alert. I am not sure that small segments causes it or
not.
Device revives after reconnecting to access point.

Is there any solution?

(Snort: 2.9.3, WinPcap: 4.1.2)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: