[Snort-devel] snort on a span/monitor port on cisco : false positives thru the roof ?

Crusty Saint saintcrusty at ...2499...
Mon Jan 24 09:24:06 EST 2011


I've been looking into resulst for a snort connected to a span port
on a switch. The traffice is between a load-balancer and a virtualised

What i am seeing that disturbs me most is a LOT of TCP overlapping packet,
packets out of SPAWN window and other possible evasion-related

[129:7:1] Limit on number of overlapping TCP packets reached
[Classification: Potentially Bad Traffic] [Priority: 2]
[129:4:1] TCP Timestamp is outside of PAWS window [Classification: Generic
Protocol Command Decode] [Priority: 3]

further there are also messages regarding normal packet being outside of
their window size.

Setting the threshold from 10 to 100 obviously reduced the number of
messages related to overlapping tcp packets ... but i'm curious ... after a
while the new threshold is reached again.

Now is my question

(1) if this could be indicative for traffic running across a span/monitor
port on a cisco switch
(2) if this is normal when watching traffic to/from a virtualised server.

Can you please inform me on possible interference from my set-up regarding
these measurements ?

St. Crusty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110124/63be3302/attachment.html>

More information about the Snort-devel mailing list