Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Stream preprocessor 3WHS port suppression

From: Andrea Venturoli <ml () netfence it>
Date: Thu, 7 Jul 2016 11:22:52 +0200
Hello.

Please forgive is this is a nooby question...

I've got a box which is triggering tons of

[129:20:1] TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
10.1.2.13:2049 -> 10.1.2.15:989


That stream is due to an NFS mount, so it will always start before 
Snort, and Snort will never see the handshake.

 From README.stream5, the only argument to "require_3whs" is a delay, 
which won't help in this case.

Is it possible to suppress this check on a given set of ports (2049 in 
my case), like "ignore_ports" does for "small_segments"?

  bye & Thanks
        av.

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: