Home page logo
/

snort logo Snort mailing list archives

Re: too many Alerts (129:12:0)---more than 7000 alerts /per day
From: Jun Wan <junwei_wan () hotmail com>
Date: Sat, 1 Jan 2011 00:37:44 +0000


Hi Matt,
 
Thanks for your help, I think "suppress" is the way to go as I didn't use  "--enable-decoder-preprocessor-rules".
 
I tested it, it worked, all alerts (129:12:0) are gone! 
 
Regards
 
John


 
Date: Thu, 30 Dec 2010 10:23:41 -0500
Subject: Re: [Snort-users] too many Alerts (129:12:0)---more than 7000 alerts /per day
From: mwatchinski () sourcefire com
To: junwei_wan () hotmail com
CC: snort-users () lists sourceforge net

If your compiled with --enable-decoder-preprocessor-rules, and are
using the preprocessor.rules file you can just comment out the rule
there.

Additionally, if you are seeing lots of small segments it sounds like
you might be looking at a lot of File server / NFS traffic. Does it
all come from a few locations?

Cheers,
-matt


On Thu, Dec 30, 2010 at 2:07 AM, Jun Wan <junwei_wan () hotmail com> wrote:
Happy 2011 (almost) to all,

My Snort 2.8.6.0 is running on Ubuntu 10.04 (32bit) with Snort Report 1.3.1.

There were 7000~10000 alerts (129:12:0) everyday, it slowed down Snort
Report to load data, so I did the following in threshold.conf and tried to
reduce the number of the alerts:
threshold gen_id 129, sig_id 12, type limit, track by_src, count 1, seconds
60

Not much improvement (still 7000 + alerts (129:12:0) perday), then I did the
follwing in Snort.conf:
From:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
overlap_limit 10, small_segments 3 bytes 100, timeout 180,
To:
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
180, \
overlap_limit 20, small_segments 6 bytes 250, timeout 180,

But Snort is still producing 7000+ alerts (129:12:0) everyday, not sure what
I did above is a right way to reduce the number of these alerts.

Any suggestion to reduce the number of these alerts would be much
appreciated.

Thanks
Regards
John









------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment,
and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
                                          
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]