[Snort-users] Starting off now it's running
paul.guijt at ...11827...
paul.guijt at ...11827...
Sun Apr 16 11:20:40 EDT 2017
Thanks for your suggestion! It put me on a better track.
At first I had completely removed 'small_segments 0 bytes 0,' from snort.conf. But then I thought that removal to be brutal, because I only wanted to suppress a specific alert. I found out that I can suppress alerts through suppress in threshold.conf, and am now exploring that.
Van: Al Lewis (allewi) [mailto:allewi at ...589...]
Verzonden: zondag 16 april 2017 03:51
Aan: Paul Guijt <paul.guijt at ...11827...>; snort-users at lists.sourceforge.net
Onderwerp: Re: [Snort-users] Starting off now it's running
A good place to start would be in the manual/README files.
In this particular case check out the doc/README.stream5 file and see the section on “small segments”. Copied below:
small_segments <num1> bytes <num2> [ignore_ports port list]
- Configure the maximum small segments queued.
This feature requires that detect_anomalies be enabled.
num1 is the number of consecutive segments that will
trigger the detection rule. The default value is
"0" (disabled),with a maximum of "2048”.
num2 is the minimum bytes for a segment to be
considered "small". The default value is "0" (disabled),
with a maximum of "2048”.
ignore_ports is optional, defines the list of
ports in which will be ignored for this rule.
The number of ports can be up to "65535”.
small_segments 3 bytes 15 ignore_ports 33 44 55
A message is written to console/syslog when this
limit is enforced. The generated alert is 129:12
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...
On 4/15/17, 4:18 PM, "Paul Guijt" <paul.guijt at ...11827...> wrote:
>I have Snort now running on my Raspberry in IDS mode (thanks Don
>Mizutani!), great. It spits out in /var/log/snort/alerts reports like
> [**] [129:12:1] Consecutive TCP small segments exceeding threshold
> [Classification: Potentially Bad Traffic] [Priority: 2]
> 04/15-21:21:36.514707 192.168.178.100:2049 -> 192.168.178.28:698
> TCP TTL:64 TOS:0x0 ID:18139 IpLen:20 DgmLen:128 DF
> ***AP*** Seq: 0xD8616620 Ack: 0x6982D5A5 Win: 0x103A TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1942222394 4294959044
>This is an alert about friendly traffic (a NFS connection).
>Where can I learn how to deal with these alerts? How can I suppress
>false-positives like these?
>I can find a truckload of information online about installation of Snort.
>But where to find information on the usage? Am I overlooking something?
>Any help will gladly be appreciated!
>------- Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users