[Snort-users] perfmonitor pre-processor issues

Joel Esler jesler at ...1935...
Thu Sep 30 17:48:20 EDT 2010


Is there anyway you can provide a snort.conf and a pcap of your
network traffic to me privately?

Something doesn't sound right.

J

On Thursday, September 30, 2010, Daniel Shepherd
<shepdelacreme at ...11827...> wrote:
> I am currently running 2.9.0 and am having a lot of preprocessor
> issues. Alerts for http, stream5, and frag3 needed to be turned off
> completely because the number of alerts was crushing the machine. The
> largest offender by far was stream5 with alerts about excessive fragment
>  and "timestamp outside PAWS window". The
> frag3 engine was giving similar fragmentation alerts. With alerting
> turned off for those three pp’s I’m down to the smtp and dcerpc2 pp’s
> sending excessive false positive alerts.
> smtp – attempted command buffer overflow: more than 512 chars
> smtp – attempted header name buffer overflow: ### chars before colon
> I call the two above false positive because when looking at the
> provided payload it appears that the preprocessor is alerting on data in
>  the body of the smtp message. I thought that putting the ignore_data
> parameter in snort.conf for the smtp pp would stop this but it hasn’t.
> dcerpc2 – Connection-oriented DCE/RPC – Invalid major version: ###
> This is supposed to alert when a dcerpc connection is made and the
> major version is anything but 5 according to the documentation. When I
> download the payload in pcap format and view it with Wireshark the major
>  version is always correctly identified as 5 though.
> I’m not sure where the problem lies, traffic, hardware, config, etc
> but has anyone dealt with this before? I’d rather not turn off the pp
> alerts completely but that is kind of where I’m at…is that what most
> people do with the preprocessors?
>




More information about the Snort-users mailing list