Snort mailing list archives

Re: Strange Alerts

From: Brett.Gillett () tsx com
Date: Wed, 23 Apr 2003 12:53:24 -0400

Artur,

Look in your snort.conf file for the following line and uncomment it.

# config disable_ttcp_alerts

That should stop those alerts.

Brett




Artur Bittencourt <artur () via-rs net>
Sent by: snort-users-admin () lists sourceforge net
23/04/2003 01:18 PM

 
        To:     snort-users () lists sourceforge net
        cc: 
        Subject:        Re: [Snort-users] Strange Alerts


Hi there,

        I have the same situation here. After I´ve upgraded to Snort 2.0.0 
I´ve got a lot of alerts (more than 191000) with "(snort_decoder): T/TCP 
Detected" on my e-mail server. How do I turn this rule off ?

Thank you for your attention,

Artur 



At 10:31 23/4/2003 -0500, you wrote:

Brett.Gillett () tsx com wrote asking:

I have a question regarding alerts that we started to receive once we 
upgraded to Snort 2.0, it seems that all of our sensors started

generating

T/TCP Detected alerts


T/TCP stands for "Transaction TCP", and is a way of dispensing with the
customary three-way handshake used to initiate a TCP exchange over the
network.  Do a Google on "t/tcp" and you'll find out lots about it, but
here's a link to get started:

  http://ttcplinux.sourceforge.net/

I grepped the source IP in my webserver logs and have so far found that
these packets are commonly associated with "normal" sessions involving
Microsoft IE clients.  Are you hosting any websites?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 
Artur Bittencourt
PROCERGS - Cia. de Processamento de Dados do Estado do RGS
Divisão de Telecomunicações
CCNA Certified
Tel: +55 51 32103138  Fax: +55 51 32103159
Porto Alegre - RS - Brasil

Current thread:

Strange Alerts Brett . Gillett (Apr 23)
- <Possible follow-ups>
- Re: Strange Alerts Neil Dickey (Apr 23)
  - Re: Strange Alerts Artur Bittencourt (Apr 23)
    - Re: Strange Alerts Erek Adams (Apr 23)
    - Re: Strange Alerts David Alonso De La Vega Tapage (Apr 23)
- Re: Strange Alerts Neil Dickey (Apr 23)
- Re: Strange Alerts Brett . Gillett (Apr 23)
- RE: Strange Alerts Allen, Garrett (Apr 23)
- Re: Strange Alerts Brett . Gillett (Apr 23)