Re: [Snort-Users] BAD-TRAFFIC small or zero-sized tcp window

[Kevin Ross <kevross33 () googlemail com>]

If you change this:

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180

this this:

preprocessor stream5_tcp: policy windows,  require_3whs 180

and restart snort it will not alert you on that.

Regards,
Kevin Ross



On 26 October 2011 15:54, Anton Zaytsev <anton.zajtsev () gmail com> wrote:

> Thanks for the quick reply.
> As I understand correctly stream5 is preprocessor and this message is
> generating by rule. How does they cooperate with each other? What should I
> remove in stream5?
> I cant use suppress rules because I don't know every peer IP address.
> I'd like to disable this messages so that will not affect not false
> positive situations. Maybe it's better to disable completely analyzing
> torrent traffic?
>
> Thanks
>
> On Wed, Oct 26, 2011 at 5:25 PM, Kevin Ross <kevross33 () googlemail com>wrote:
>
> > You can either use threshold.conf to supress it or remove the
> > detect_anomalies (or whatever it is) from stream5 configuration in your
> > snort.conf (it will be in the tcp line, you will spot it. Read the snort
> > manual or stream5 if you want to make sure you remove it correctly so stream
> > 5 is the same (basically if it is like option, option option, remove option
> > , to make sure you don't get ,, or something silly).
> >
> >
> > suppress gen_id 1, sig_id 1839006, track by_src, ip 194.189.116.0/23
> >
> >
> > On 26 October 2011 15:19, Anton Zaytsev <anton.zajtsev () gmail com> wrote:
> >
> > > Hello,
> > >
> > > I have plenty of this messages during torrent downloading.
> > > System is Centos5 and client rtorrent.
> > > Snort signature information <http://rootedyour.com/snortsid?sid=3:15912> says
> > > that
> > > "This event is generated when an attempt is made to exploit a known
> > > vulnerability in Microsoft Windows"
> > > and
> > > "False Positives: None known."
> > >
> > > Tell please, how can I get rid of them.
> > >
> > > Anton
> > >
> > > --
> > > To post to this group, send email to snortusers () googlegroups com
> > >
> > >
> > > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >  --
> > To post to this group, send email to snortusers () googlegroups com
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>  --
> To post to this group, send email to snortusers () googlegroups com
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!