[Snort-users] Starting off now it's running

paul.guijt at ...11827... paul.guijt at ...11827...
Sun Apr 16 11:20:40 EDT 2017

Hi Al,

Thanks for your suggestion! It put me on a better track. 

At first I had completely removed 'small_segments 0 bytes 0,' from snort.conf. But then I thought that removal to be brutal, because I only wanted to suppress a specific alert. I found out that I can suppress alerts through suppress in threshold.conf, and am now exploring that. 


-----Oorspronkelijk bericht-----
Van: Al Lewis (allewi) [mailto:allewi at ...589...] 
Verzonden: zondag 16 april 2017 03:51
Aan: Paul Guijt <paul.guijt at ...11827...>; snort-users at lists.sourceforge.net
Onderwerp: Re: [Snort-users] Starting off now it's running

A good place to start would be in the manual/README files. 

In this particular case check out the doc/README.stream5 file and see the section on “small segments”. Copied below:

small_segments <num1> bytes <num2> [ignore_ports port list]

                            - Configure the maximum small segments queued.  
                              This feature requires that detect_anomalies be enabled. 

                              num1 is the number of consecutive segments that will
                              trigger the detection rule. The default value is 
                              "0" (disabled),with a maximum of "2048”.  

                              num2 is the minimum bytes for a segment to be 
                              considered "small". The default value is "0" (disabled),
                              with a maximum of "2048”.  

                              ignore_ports is optional, defines the list of
                              ports in which will be ignored for this rule.
                              The number of ports can be up to "65535”.

                                small_segments 3 bytes 15 ignore_ports 33 44 55
                              A message is written to console/syslog when this 
                              limit is enforced. The generated alert is 129:12


Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 

On 4/15/17, 4:18 PM, "Paul Guijt" <paul.guijt at ...11827...> wrote:

>Hi all,
>I have Snort now running on my Raspberry in IDS mode (thanks Don 
>Mizutani!), great. It spits out in /var/log/snort/alerts reports like
>	[**] [129:12:1] Consecutive TCP small segments exceeding threshold 
>	[Classification: Potentially Bad Traffic] [Priority: 2]
>	04/15-21:21:36.514707 ->
>	TCP TTL:64 TOS:0x0 ID:18139 IpLen:20 DgmLen:128 DF
>	***AP*** Seq: 0xD8616620  Ack: 0x6982D5A5  Win: 0x103A  TcpLen: 32
>	TCP Options (3) => NOP NOP TS: 1942222394 4294959044
>This is an alert about friendly traffic (a NFS connection). 
>Where can I learn how to deal with these alerts? How can I suppress 
>false-positives like these?
>I can find a truckload of information online about installation of Snort.
>But where to find information on the usage? Am I overlooking something? 
>Any help will gladly be appreciated!
>------- Check out the vibrant tech community on one of the world's most 
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list