[Snort-users] flow:established still broken in 220.127.116.11?
jason.r.wallace at ...11827...
Wed Jun 29 21:39:06 EDT 2011
If you are frequently getting FP on ssl/tls/ssh traffic, even though
you have this data set to ignore in the ssl/ssh preprossors, then make
sure all your ports that are supporting this type of traffic are in
both the ssl/ssh preprocessors and in stream5. They have to be listed
in "ports both" section for the ignore options to work correctly. I
don't know for sure but tls smtp traffic might follow this rule too.
I see in the snort.conf for 2.9.1_beta port 22 is only list in "ports
client". Shouldn't this be in "ports both" to function correctly?
On Wed, Jun 29, 2011 at 6:12 PM, Jason Haar <Jason.Haar at ...294...> wrote:
> On 30/06/11 09:33, Russ Combs wrote:
>> depth:2 applies to the current packet (raw or reassembled). It is not
>> a depth from beginning of stream.
> Ahhh! the penny drops - so it should be expected to get FPs due to this
> then? Shouldn't there be a "streamdepth:" option then? Almost all TCP
> protocols are defined by their first few bytes, so checking only the
> beginning of a stream should improve things for many rules? I have
> routinely seen FPs caused by this with SSL and ZIP/compressed data flows
> - almost all would be removed if there was a "streamdepth" sort of option.
> (I've just checked the manual and indeed "depth" is only about packets,
> not streams - and yet all the "tcp_stream" options in snort had lead me
> to believe it did something more precise - my mistake :-)
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please see http://www.snort.org/docs for documentation
More information about the Snort-users