[Snort-devel] snort on a span/monitor port on cisco : false positives thru the roof ?

Crusty Saint saintcrusty at ...2499...
Wed Jan 26 10:43:12 EST 2011


had bad span port positioning reconfigured, fixed *blush*

2011/1/24 Crusty Saint <saintcrusty at ...2499...>

> Hi,
>
> I've been looking into resulst for a snort 2.9.0.3 connected to a span port
> on a switch. The traffice is between a load-balancer and a virtualised
> server.
>
> What i am seeing that disturbs me most is a LOT of TCP overlapping packet,
> packets out of SPAWN window and other possible evasion-related
> notifications.
>
> [129:7:1] Limit on number of overlapping TCP packets reached
> [Classification: Potentially Bad Traffic] [Priority: 2]
> [129:4:1] TCP Timestamp is outside of PAWS window [Classification: Generic
> Protocol Command Decode] [Priority: 3]
>
> further there are also messages regarding normal packet being outside of
> their window size.
>
> Setting the threshold from 10 to 100 obviously reduced the number of
> messages related to overlapping tcp packets ... but i'm curious ... after a
> while the new threshold is reached again.
>
> Now is my question
>
> (1) if this could be indicative for traffic running across a span/monitor
> port on a cisco switch
> OR
> (2) if this is normal when watching traffic to/from a virtualised server.
>
>
> Can you please inform me on possible interference from my set-up regarding
> these measurements ?
>
>
> St. Crusty
>



-- 
- - -
Security Engineer - Tags: Analyst Systems Security Linux Firewall Network
Web Troubleshooting - If you think I deserve a rant, write me off-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110126/38ab8f7d/attachment.html>


More information about the Snort-devel mailing list