Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can't alert on most

From: Carlos G Mendioroz <tron () acm org>
Date: Tue, 04 Mar 2014 14:58:16 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Waldo,
it seems to me that Michael is more concerned about not receiving any
port scan event than about receiving the small segments alert.

I'm also seeing this (weird >) behaviour of one alert being produced
and nothing else with 2.9.6 and "stock" (in my case snapshot #2960) rules.

- -Carlos

waldo kitty @ 04/03/2014 09:25 -0300 dixit:

On 3/3/2014 9:48 PM, Michael Wisniewski wrote:

...and there's some other alerts, but the TCP small segments are
the ones that dominate the log.  I can do a nmap scan from
offsite and all I see are the above alert; nothing about a
portscan.

Does anybody know why I'm seeing this?  In the conf file, I have
pretty much all stock (except for the paths).  Is there something
else that needs to be enabled in order to see the proper alerts?


it really isn't about seeing "the proper alerts"... the small
segments alerts are proper alerts... the question is how do you
want to solve it... there are several ways... one way is to disable
the rule by commenting it out in the preprocessor rules file...
another way is to threshold the rule... but tuning your
snort.conf's stream5_tcp small_segments settings or removing the 
small_segments settings portion of the config would probably be
better... IMO, the former is the preferred with the latter and
others being (extreme) last resort methods...



- -- 
Carlos G Mendioroz  <tron () acm org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMWFDgACgkQ7qM4U9dTH3+s8ACfQ8FeT+ntU6DdQvv708MI+jhM
s9cAoLh8uOAYnWfrkG+SRThzbMSmcYcy
=vIJ4
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: