[Snort-users] "stream.c" in Nessus causes tons of same alerts!

Martin Roesch roesch at ...421...
Fri Sep 29 12:15:47 EDT 2000

Alert aggregation is something we've been talking about adding for quite some
time.  There are a number of big questions involved with doing something like
that, such as the loss in fidelity of data, etc.  

It should be noted that the rules in the *-lib files are examples and
recommendations only, you should definitely modify them to suit your


Xu Zhenqing wrote:
> snort-users:
>  I start the Snort-1.7Beta0 with Mysql support
> in my linux box. Everything is ok before I use
> the Nessus Scanner against the target host.
> After the scan, there are about 40,000 same
> items of "NMAP TCP PING!". The huge alert data
> cause MySql works very slowly.
> I look into the detail of the alert log, find that
> src_ip = dst_ip! After the investigation, nessus
> simulates the "stream.c" attack in
> plugins/scripts/stream.nasl. This plugin sends about
> 40,000 IP packets with the src_ip = dst_ip = target host.
> I think this is the cause of the tons of same alerts.
> Change the first line of the scan-lib:
> alert tcp any any -> $HOME_NET any (flag:A; ack:0; msg:"NMAP TCP PING!")
> to :
> alert tcp !$HOME_NET any -> $HOME_NET any (flag:A; ack:0; msg:"NAMP TCP PING!")
> can avoid the tons of same alerts.
> But now we will let the DOS attacker pass our SNORT.
>             Xu Zhenqing
>             xuzq at ...452...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list