[Snort-users] Strange Alerts

Brett.Gillett at ...8974... Brett.Gillett at ...8974...
Wed Apr 23 09:54:10 EDT 2003


Look in your snort.conf file for the following line and uncomment it.

# config disable_ttcp_alerts

That should stop those alerts.


Artur Bittencourt <artur at ...8902...>
Sent by: snort-users-admin at lists.sourceforge.net
23/04/2003 01:18 PM

        To:     snort-users at lists.sourceforge.net
        Subject:        Re: [Snort-users] Strange Alerts

Hi there,

        I have the same situation here. After I´ve upgraded to Snort 2.0.0 
I´ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP 
Detected" on my e-mail server. How do I turn this rule off ?

Thank you for your attention,


At 10:31 23/4/2003 -0500, you wrote:

Brett.Gillett at ...8974... wrote asking:

>I have a question regarding alerts that we started to receive once we 
>upgraded to Snort 2.0, it seems that all of our sensors started 
>T/TCP Detected alerts

T/TCP stands for "Transaction TCP", and is a way of dispensing with the
customary three-way handshake used to initiate a TCP exchange over the
network.  Do a Google on "t/tcp" and you'll find out lots about it, but
here's a link to get started:


I grepped the source IP in my webserver logs and have so far found that
these packets are commonly associated with "normal" sessions involving
Microsoft IE clients.  Are you hosting any websites?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Artur Bittencourt
PROCERGS - Cia. de Processamento de Dados do Estado do RGS
Divisão de Telecomunicações
CCNA Certified
Tel: +55 51 32103138  Fax: +55 51 32103159
Porto Alegre - RS - Brasil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030423/77da3582/attachment.html>

More information about the Snort-users mailing list