[Snort-users] Very high amount of "TCP Small Segment Threshold Exceeded"

Giacomo lib.giacomo at ...11827...
Mon Feb 27 03:39:42 EST 2012

Hi there,

I recently started using Snort. After enabling the (default) preprocessor configuration I started receiving very large amounts of events regarding stream5.
Since it is a server that is not being used for anything I assume this event is generated by my SSH connection. A couple of topics have discussed this but none come with a very clear answer why this is occurring and how you can solve it.
The only two suggestions I found was to change the max_tcp value in stream5_global or increase the memcap. But both of these suggestions don't work. So I am wondering if any one of you has an idea why this is occurring and what I can do about it.


More information about the Snort-users mailing list