[Snort-users] Strange Alerts

Artur Bittencourt artur at ...8902...
Wed Apr 23 09:22:09 EDT 2003

Hi there,

         I have the same situation here. After I´ve upgraded to Snort 2.0.0 
I´ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP 
Detected" on my e-mail server. How do I turn this rule off ?

Thank you for your attention,


At 10:31 23/4/2003 -0500, you wrote:

>Brett.Gillett at ...8974... wrote asking:
> >I have a question regarding alerts that we started to receive once we
> >upgraded to Snort 2.0, it seems that all of our sensors started generating
> >T/TCP Detected alerts
>T/TCP stands for "Transaction TCP", and is a way of dispensing with the
>customary three-way handshake used to initiate a TCP exchange over the
>network.  Do a Google on "t/tcp" and you'll find out lots about it, but
>here's a link to get started:
>   http://ttcplinux.sourceforge.net/
>I grepped the source IP in my webserver logs and have so far found that
>these packets are commonly associated with "normal" sessions involving
>Microsoft IE clients.  Are you hosting any websites?
>Best regards,
>Neil Dickey, Ph.D.
>Research Associate/Sysop
>Geology Department
>Northern Illinois University
>DeKalb, Illinois
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Artur Bittencourt
PROCERGS - Cia. de Processamento de Dados do Estado do RGS
Divisão de Telecomunicações
CCNA Certified
Tel: +55 51 32103138  Fax: +55 51 32103159
Porto Alegre - RS - Brasil 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030423/f2923959/attachment.html>

More information about the Snort-users mailing list