[Snort-users] NIPS Rules

wkitty42 at windstream.net wkitty42 at windstream.net
Mon Aug 21 15:18:32 EDT 2017


On 08/21/2017 02:25 PM, Manojit Ghosh via Snort-users wrote:
> I have installed Snort 2.9.9.0 on windows 7 professional 32 bit and running it 
> using the command snort -i 3 -c C:\Snort\etc\snort.conf -A fast. In the 
> alert.ids file, I see a lot of reset outside window alerts, such as this, 
> 08/21-23:16:37.473511  [**] [129:15:1] Reset outside window [**] 
> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 
> XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:443 -> XXXX:XXXX:XXXX:XXXX:XXXX:57462. I 
> have reason to believe that these alerts are the result of malicious activities. 
> I want to protect my network from these attacks. Please provide me the precise 
> instructions to prevent these attacks, i.e. the rule(s), the file to place the 
> rule(s) in, & the location of the file.


if the rule is alerting, then you are already detecting them... if you want to 
block them, add the remote IP to your firewall's blocking list...

but these may not really be attacks... you need to capture the traffic and study 
it to see if it really is an attack... it may be that you need to simply adjust 
your stream5 preprocessor settings in your snort.conf file... search for 
"small_segments" and increase the count if you like... see README.stream5 for 
more information...

FWIW: one thing that i've noted over the years of using snort is that new folks 
to snort are now suddenly introduced to what's really going on on their network 
and how it really works... many are quite surprised to traffic they had no idea 
about... i remember one person freaking out when they discovered how chatty 
NETBIOS/NETBEUI is and how often devices using that protocol fight over which 
one is going to be the master browser for the network ;)


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-users mailing list