[Snort-users] Stream5

Nicholas Horton fivetenets at ...14399...
Thu Aug 23 17:22:44 EDT 2012


I tried removing detect_anomalies and setting the small_segments value to 0 and it still pops up repeatedly.

Any more ideas why the small segment stream5 pp is getting triggered?

I'm running 2.9.2.3. 

Thanks,
Nick

On Aug 22, 2012, at 11:06 PM, Nicholas Horton <fivetenets at ...14399...> wrote:

> Thanks E. I love the link :). Cracks me up.
> 
> I'll take a look. I saw some of the googles got rid of the messages by tweaking some of the options but I was trying to understand more if I should up the max values for example or if there is an issue with the machine that keeps triggering this alert.
> 
> I'll try to read up more on the tcp small segment option more to understand what its looking for.
> 
> Thanks again,
> Nick
> 
> On Aug 22, 2012, at 3:40 PM, Edward Fjellskål <edwardfjellskaal at ...391...1827...> wrote:
> 
>> On 08/22/2012 08:58 PM, Nicholas Horton wrote:
>>> I am getting a large amount of "stream5: TCP Small Segment Threshold Exceeded" alerts. 
>>> 
>>> Where should I start investigating this preprocessor message and how to correct the issue or alert?
>> 
>> Have you tried google ?
>> 
>> http://bit.ly/Nhhoxi
>> 
>> The first hit there brings you to a thread on this issue :)
>> 
>> E
>> 
>>> 
>>> Thanks,
>>> Nick
>>> 
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and 
>>> threat landscape has changed and how IT managers can respond. Discussions 
>>> will include endpoint security, mobile security and the latest in malware 
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list