Snort mailing list archives

Re: Anyone else seeing lots of 129 20 this am?

From: Brian Cole via Snort-users <snort-users () lists snort org>
Date: Tue, 3 Sep 2019 20:01:41 +0000

I can provide a little more information here.

As far as I can tell my installation of PulledPork *is* configured to update the preprocessor rules, but it seems to 
have skipped them for some reason.  So I manually untarred the Snort rules tarball it downloaded, found the 
preprocessor.rules file and copied it to my /etc/snort folder where it needed to be, and then restarted Snort.  I 
manually looked at the file and it is MUCH large than the one I had previously.    While that may have fixed that 
configuration issue, I have been watching my Snort alert log and I am still seeing TONS of 129:20:1 alerts still, so 
the original problem remains...  :-(

   [129:20:1] TCP session without 3-way handshake [**] [Classification: Potentially Bad Traffic] [Priority: 2]

Something caused Snort to get real noisy for that issue on August 31st.  This issue is occurring on multiple Snort 
servers I manage in different countries.
...brian
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Anyone else seeing lots of 129 20 this am?, (continued)
- - - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
    - Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
    - Re: Anyone else seeing lots of 129 20 this am? Gordon Wallum via Snort-users (Sep 03)