Re: Aurora Exploit Attempt Alert One Hour Delay

["Joel Esler (jesler)" <jesler () cisco com>]

On Jan 23, 2014, at 5:32 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:

> On 1/23/14 4:28 PM, LaTonya Hall wrote:
> > There is about a one hour delay from exploit attempt to snort alert…any ideas?
> >
> > -LaTonya
> This happens with Suricata sometimes, there is some timeout value for sessions that don't get closed then the open 
> session finally gets reaped and the alerts flushed out. Don't know if the same happens in Snort (or if you are 
> running Snort or Suricata).

Depends on the set up of stream. I think by default it should purne after 120 seconds.

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!