[Snort-users] Aurora Exploit Attempt Alert One Hour Delay

Joel Esler (jesler) jesler at ...589...
Thu Jan 23 18:03:25 EST 2014


On Jan 23, 2014, at 5:32 PM, Eoin Miller <eoin.miller at ...14586...> wrote:

> On 1/23/14 4:28 PM, LaTonya Hall wrote:
>> There is about a one hour delay from exploit attempt to snort alert…any ideas?
>> 
>> -LaTonya
>> 
> This happens with Suricata sometimes, there is some timeout value for sessions that don't get closed then the open session finally gets reaped and the alerts flushed out. Don't know if the same happens in Snort (or if you are running Snort or Suricata).

Depends on the set up of stream. I think by default it should purne after 120 seconds.

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140123/e101a3b4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4817 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140123/e101a3b4/attachment.bin>


More information about the Snort-users mailing list