[Snort-users] perfmonitor pre-processor issues

Daniel Shepherd shepdelacreme at ...11827...
Thu Sep 30 17:24:15 EDT 2010


I am currently running 2.9.0 and am having a lot of preprocessor issues.
Alerts for http, stream5, and frag3 needed to be turned off completely
because the number of alerts was crushing the machine. The largest offender
by far was stream5 with alerts about excessive fragment and "timestamp
outside PAWS window". The frag3 engine was giving similar fragmentation
alerts. With alerting turned off for those three pp’s I’m down to the smtp
and dcerpc2 pp’s sending excessive false positive alerts.

smtp – attempted command buffer overflow: more than 512 chars
smtp – attempted header name buffer overflow: ### chars before colon

I call the two above false positive because when looking at the provided
payload it appears that the preprocessor is alerting on data in the body of
the smtp message. I thought that putting the ignore_data parameter in
snort.conf for the smtp pp would stop this but it hasn’t.

dcerpc2 – Connection-oriented DCE/RPC – Invalid major version: ###

This is supposed to alert when a dcerpc connection is made and the major
version is anything but 5 according to the documentation. When I download
the payload in pcap format and view it with Wireshark the major version is
always correctly identified as 5 though.

I’m not sure where the problem lies, traffic, hardware, config, etc but has
anyone dealt with this before? I’d rather not turn off the pp alerts
completely but that is kind of where I’m at…is that what most people do with
the preprocessors?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100930/72f3b3c2/attachment.html>


More information about the Snort-users mailing list