[Snort-users] Strange Alerts

Artur Bittencourt artur at ...8902...
Wed Apr 23 09:22:09 EDT 2003


Hi there,

         I have the same situation here. After I´ve upgraded to Snort 2.0.0 
I´ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP 
Detected" on my e-mail server. How do I turn this rule off ?

Thank you for your attention,

Artur



At 10:31 23/4/2003 -0500, you wrote:

>Brett.Gillett at ...8974... wrote asking:
>
> >I have a question regarding alerts that we started to receive once we
> >upgraded to Snort 2.0, it seems that all of our sensors started generating
> >T/TCP Detected alerts
>
>T/TCP stands for "Transaction TCP", and is a way of dispensing with the
>customary three-way handshake used to initiate a TCP exchange over the
>network.  Do a Google on "t/tcp" and you'll find out lots about it, but
>here's a link to get started:
>
>   http://ttcplinux.sourceforge.net/
>
>I grepped the source IP in my webserver logs and have so far found that
>these packets are commonly associated with "normal" sessions involving
>Microsoft IE clients.  Are you hosting any websites?
>
>Best regards,
>
>Neil Dickey, Ph.D.
>Research Associate/Sysop
>Geology Department
>Northern Illinois University
>DeKalb, Illinois
>60115
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

Artur Bittencourt
PROCERGS - Cia. de Processamento de Dados do Estado do RGS
Divisão de Telecomunicações
CCNA Certified
Tel: +55 51 32103138  Fax: +55 51 32103159
Porto Alegre - RS - Brasil 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030423/f2923959/attachment.html>


More information about the Snort-users mailing list