Snort mailing list archives
Re: NIPS Rules
From: wkitty42 () windstream net
Date: Mon, 21 Aug 2017 15:18:32 -0400
On 08/21/2017 02:25 PM, Manojit Ghosh via Snort-users wrote:
I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and running it using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast. In the alert.ids file, I see a lot of reset outside window alerts, such as this, 08/21-23:16:37.473511 [**] [129:15:1] Reset outside window [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 -> XXXX:XXXX:XXXX:XXXX:XXXX:57462. I have reason to believe that these alerts are the result of malicious activities. I want to protect my network from these attacks. Please provide me the precise instructions to prevent these attacks, i.e. the rule(s), the file to place the rule(s) in, & the location of the file.
if the rule is alerting, then you are already detecting them... if you want to block them, add the remote IP to your firewall's blocking list...
but these may not really be attacks... you need to capture the traffic and study it to see if it really is an attack... it may be that you need to simply adjust your stream5 preprocessor settings in your snort.conf file... search for "small_segments" and increase the count if you like... see README.stream5 for more information...
FWIW: one thing that i've noted over the years of using snort is that new folks to snort are now suddenly introduced to what's really going on on their network and how it really works... many are quite surprised to traffic they had no idea about... i remember one person freaking out when they discovered how chatty NETBIOS/NETBEUI is and how often devices using that protocol fight over which one is going to be the master browser for the network ;)
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- NIPS Rules Manojit Ghosh via Snort-users (Aug 21)
- Re: NIPS Rules wkitty42 (Aug 21)
- Re: NIPS Rules Manojit Ghosh via Snort-users (Aug 21)
- Re: NIPS Rules wkitty42 (Aug 22)