[Snort-users] Starting off now it's running

Al Lewis (allewi) allewi at ...589...
Sat Apr 15 21:50:53 EDT 2017

A good place to start would be in the manual/README files. 

In this particular case check out the doc/README.stream5 file and see the section on “small segments”. Copied below:

small_segments <num1> bytes <num2> [ignore_ports port list]

                            - Configure the maximum small segments queued.  
                              This feature requires that detect_anomalies be enabled. 

                              num1 is the number of consecutive segments that will
                              trigger the detection rule. The default value is 
                              "0" (disabled),with a maximum of "2048”.  

                              num2 is the minimum bytes for a segment to be 
                              considered "small". The default value is "0" (disabled),
                              with a maximum of "2048”.  

                              ignore_ports is optional, defines the list of
                              ports in which will be ignored for this rule.
                              The number of ports can be up to "65535”.

                                small_segments 3 bytes 15 ignore_ports 33 44 55
                              A message is written to console/syslog when this 
                              limit is enforced. The generated alert is 129:12


Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 

On 4/15/17, 4:18 PM, "Paul Guijt" <paul.guijt at ...11827...> wrote:

>Hi all,
>I have Snort now running on my Raspberry in IDS mode (thanks Don Mizutani!),
>great. It spits out in /var/log/snort/alerts reports like 
>	[**] [129:12:1] Consecutive TCP small segments exceeding threshold
>	[Classification: Potentially Bad Traffic] [Priority: 2]
>	04/15-21:21:36.514707 ->
>	TCP TTL:64 TOS:0x0 ID:18139 IpLen:20 DgmLen:128 DF
>	***AP*** Seq: 0xD8616620  Ack: 0x6982D5A5  Win: 0x103A  TcpLen: 32
>	TCP Options (3) => NOP NOP TS: 1942222394 4294959044
>This is an alert about friendly traffic (a NFS connection). 
>Where can I learn how to deal with these alerts? How can I suppress
>false-positives like these? 
>I can find a truckload of information online about installation of Snort.
>But where to find information on the usage? Am I overlooking something? 
>Any help will gladly be appreciated!
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list