Re: Anyone else seeing lots of 129 20 this am?

["Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>]

Perhaps you can capture some traffic and see if the 3whs is completed?

On 9/3/19, 5:23 PM, "Brian Cole" <cole () echoworx com> wrote:

    
    Thanks very much for that information, Joel.  I have disabled anomaly detection for the stream5_global preprocessor 
on one of our servers and these 129:20 alerts stopping coming in.  The alerts were coming in from internal traffic 
between servers, so it isn't clear why Snort thinks the three-way handshake wasn't completed anyway.
    
    ...brian
    
    -----Original Message-----
    From: Joel Esler (jesler) [mailto:jesler () cisco com] 
    Sent: September 3, 2019 4:32 PM
    To: Brian Cole; jlay () slave-tothe-box net
    Cc: snort-users () lists snort org
    Subject: Re: [Snort-users] Anyone else seeing lots of 129 20 this am?
    
    We didn't update the version of Snort you all are using.  But we did update the preprocessor.rules file.  So, if 
you are getting alerts now, Snort may have been generating them all along, and the preprocessor file was never able to 
generate a named alert, as Snort didn't know what to name it.
    
    If you want to disable this check, it's part of the stream5 preprocessor configuration with the "detect anomalies" 
configuration line. 
    
    --
    Joel Esler
    Manager, Communities Division
    Cisco Talos Intelligence Group
    http://www.talosintelligence.com

Attachment: smime.p7s
Description:

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette