[Snort-users] snort-decoder

John Hally JHally at ...5637...
Mon May 12 06:50:09 EDT 2003


Hi guys,

I'm getting pummeled by these alerts (23,000+ this weekend) which have to be
false positives, but I can't figure out a way to disable  it short of
shutting off the sensor.  Can anyone give me a little insight as to disable
this alert, or why I'm getting so many?:




#(9 - 66761) [2003-05-12 13:46:36] [snort/56]  (snort_decoder): T/TCP
Detected
IPv4: 204.169.143.149 -> xxx.xxx.xxx.xxx
      hlen=5 TOS=0 dlen=68 ID=45277 flags=0 offset=0 TTL=55 chksum=25195
TCP:  port=1620 -> dport: 80  flags=******S* seq=2260574771
      ack=2218756307 off=12 res=0 win=16384 urp=0 chksum=41174
      Options:
       #1 - MSS len=2 data=0200
       #2 - NOP len=0
       #3 - WS len=1 data=00
       #4 - NOP len=0
       #5 - NOP len=0
       #6 - TS len=8 data=005739D200000000
       #7 - NOP len=0
       #8 - NOP len=0
       #9 - CCNEW len=4 data=01175882
Payload: none


Thanks in advance.

John H.




More information about the Snort-users mailing list