[Snort-users] Stream5

ARAI Shun-ichi hermes at ...15562...
Thu Aug 23 21:28:42 EDT 2012


In <7ED45A0B-7F8F-41C3-AE55-5CF703460DB7 at ...14399...>;
   Nicholas Horton <fivetenets at ...14399...> wrote
   as Subject "Re: [Snort-users] Stream5":

> I tried removing detect_anomalies and setting the small_segments value to 0 and it still pops up repeatedly.
> 
> Any more ideas why the small segment stream5 pp is getting triggered?

How is to add port number into "ports" port list?
(If you gets alerts for specific port(s).)

Or if you are assured that the alerts means no security risk, you can
suppress alert message.

For example, write local rules like:
suppress gen_id 129, sig_id 12, track by_dst, ip XX.XX.XX.XX
suppress gen_id 129, sig_id 12, track by_src, ip XX.XX.XX.XX

BTW, I am using Snort for Linux and Widows PC (XP SP3).
On Win XP (with wireless network), device sometimes hangs up after
small segment alert. I am not sure that small segments causes it or
not.
Device revives after reconnecting to access point.

Is there any solution?

(Snort: 2.9.3, WinPcap: 4.1.2)




More information about the Snort-users mailing list