Home page logo
/

snort logo Snort mailing list archives

Re: too many Alerts (129:12:0)---more than 7000 alerts /per day
From: Jun Wan <junwei_wan () hotmail com>
Date: Sat, 1 Jan 2011 00:34:26 +0000


Hi James,
 
Thanks, I agree "suppress" is the way to go as these alerts seem to be false positive.
 
I tested it, it worked, all alerts (129:12:0) are gone! 
 
Regards
 
John



Date: Thu, 30 Dec 2010 05:27:35 -0700
From: jlay () slave-tothe-box net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] too many Alerts (129:12:0)---more than 7000 alerts /per day



Not much improvement (still 7000 + alerts (129:12:0) perday), then I did the follwing in Snort.conf:

From:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
overlap_limit 10, small_segments 3 bytes 100, timeout 180,
To:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
overlap_limit 20, small_segments 6 bytes 250, timeout 180,
 
But Snort is still producing 7000+ alerts (129:12:0) everyday, not sure what I did above is a right way to reduce the 
number of these alerts.
 






John,


Since I'm guessing these aren't relevant to you, you can use your threshold to ignore it.  In your threshold file:


suppress gen_id 129, sig_id 12


That should stop you from seeing it altogether.


James
------------------------------------------------------------------------------ Learn how Oracle Real Application 
Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption 
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users                                           
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]