Snort mailing list archives

Re: Anyone else seeing lots of 129 20 this am?

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 3 Sep 2019 20:32:09 +0000

We didn't update the version of Snort you all are using. But we did update the preprocessor.rules file. So, if you
are getting alerts now, Snort may have been generating them all along, and the preprocessor file was never able to
generate a named alert, as Snort didn't know what to name it.

If you want to disable this check, it's part of the stream5 preprocessor configuration with the "detect anomalies"
configuration line.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

On 9/3/19, 4:02 PM, "Brian Cole" <cole () echoworx com> wrote:

I can provide a little more information here.

As far as I can tell my installation of PulledPork *is* configured to update the preprocessor rules, but it seems
to have skipped them for some reason. So I manually untarred the Snort rules tarball it downloaded, found the
preprocessor.rules file and copied it to my /etc/snort folder where it needed to be, and then restarted Snort. I
manually looked at the file and it is MUCH large than the one I had previously. While that may have fixed that
configuration issue, I have been watching my Snort alert log and I am still seeing TONS of 129:20:1 alerts still, so
the original problem remains... :-(

[129:20:1] TCP session without 3-way handshake [**] [Classification: Potentially Bad Traffic] [Priority: 2]

Something caused Snort to get real noisy for that issue on August 31st. This issue is occurring on multiple Snort
servers I manage in different countries.
...brian

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Anyone else seeing lots of 129 20 this am?, (continued)
- - - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Gordon Wallum via Snort-users (Sep 03)