[Snort-users] snort-decoder

Matt Kettler mkettler at ...4108...
Mon May 12 11:11:12 EDT 2003


At 09:51 AM 5/12/2003 -0400, John Hally wrote:
>I'm getting pummeled by these alerts (23,000+ this weekend) which have to be
>false positives, but I can't figure out a way to disable  it short of
>shutting off the sensor.  Can anyone give me a little insight as to disable
>this alert, or why I'm getting so many?:
>
>
>
>
>#(9 - 66761) [2003-05-12 13:46:36] [snort/56]  (snort_decoder): T/TCP

google is your friend, try it sometime, really:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=snort+t%2Ftcp&sa=N&tab=wg

in summary:

T/TCP is the TCP for Transactions protocol. It's an optimized protocol 
loosely based on TCP that's designed around "get this" "get that" type 
transfers, such as HTTP. It winds up greatly reducing the overhead of 
generating 100 new TCP connections just to fetch the contents of a web page 
that contains 100 images.

This rule mostly exists to inform people that T/TCP is flowing past the 
snort sensor, and T/TCP is a protocol that isn't always thought of when 
designing firewall or snort rules.

You can disable these alerts with the following directive:

config disable_ttcp_alerts


Here's a short clip from a post by Richard Bejtlich which contains some 
good links to information on T/TCP (it's the first post in the google 
search I linked above)
---------------
For those who want more than my simplistic rendition
of the protocol, see RFC 1379
(http://www.faqs.org/rfcs/rfc1379.html).

Other resources include:

T/TCP home page:

http://www.kohala.com/start/ttcp.html

1998 Phrack Article by Route:

http://www.phrack.com/show.php?p=53&a=6







More information about the Snort-users mailing list