[Snort-users] Stream5

Nicholas Horton fivetenets at ...14399...
Sat Aug 25 16:32:15 EDT 2012


Thanks.  I lot of the alerts were port 445.   I decided to suppress that alert so i can look at some other alerts. I plan on coming back to it if i can get the alerts to settle down.  I'm having issues with a couple stream5 rules.

Thanks again,
Nick

On Aug 23, 2012, at 9:28 PM, ARAI Shun-ichi <hermes at ...15562...> wrote:

> In <7ED45A0B-7F8F-41C3-AE55-5CF703460DB7 at ...14399...>;
>   Nicholas Horton <fivetenets at ...14399...> wrote
>   as Subject "Re: [Snort-users] Stream5":
> 
>> I tried removing detect_anomalies and setting the small_segments value to 0 and it still pops up repeatedly.
>> 
>> Any more ideas why the small segment stream5 pp is getting triggered?
> 
> How is to add port number into "ports" port list?
> (If you gets alerts for specific port(s).)
> 
> Or if you are assured that the alerts means no security risk, you can
> suppress alert message.
> 
> For example, write local rules like:
> suppress gen_id 129, sig_id 12, track by_dst, ip XX.XX.XX.XX
> suppress gen_id 129, sig_id 12, track by_src, ip XX.XX.XX.XX
> 
> BTW, I am using Snort for Linux and Widows PC (XP SP3).
> On Win XP (with wireless network), device sometimes hangs up after
> small segment alert. I am not sure that small segments causes it or
> not.
> Device revives after reconnecting to access point.
> 
> Is there any solution?
> 
> (Snort: 2.9.3, WinPcap: 4.1.2)
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list