snort-users October 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] [Snort-Users] BAD-TRAFFIC small o

Re: [Snort-users] [Snort-Users] BAD-TRAFFIC small or zero-sized tcp window

From: Kevin Ross <kevross33_at_nospam>
Date: Wed Oct 26 2011 - 18:32:19 GMT

If you change this:

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180

this this:

preprocessor stream5_tcp: policy windows, require_3whs 180

and restart snort it will not alert you on that.

Kevin Ross

On 26 October 2011 15:54, Anton Zaytsev <> wrote:

> Thanks for the quick reply.
> As I understand correctly stream5 is preprocessor and this message is
> generating by rule. How does they cooperate with each other? What should I
> remove in stream5?
> I cant use suppress rules because I don't know every peer IP address.
> I'd like to disable this messages so that will not affect not false
> positive situations. Maybe it's better to disable completely analyzing
> torrent traffic?
> Thanks
> On Wed, Oct 26, 2011 at 5:25 PM, Kevin Ross <>wrote:
>> You can either use threshold.conf to supress it or remove the
>> detect_anomalies (or whatever it is) from stream5 configuration in your
>> snort.conf (it will be in the tcp line, you will spot it. Read the snort
>> manual or stream5 if you want to make sure you remove it correctly so stream
>> 5 is the same (basically if it is like option, option option, remove option
>> , to make sure you don't get ,, or something silly).
>> suppress gen_id 1, sig_id 1839006, track by_src, ip
>> On 26 October 2011 15:19, Anton Zaytsev <> wrote:
>>> Hello,
>>> I have plenty of this messages during torrent downloading.
>>> System is Centos5 and client rtorrent.
>>> Snort signature information <> says
>>> that
>>> "This event is generated when an attempt is made to exploit a known
>>> vulnerability in Microsoft Windows"
>>> and
>>> "False Positives: None known."
>>> Tell please, how can I get rid of them.
>>> Anton
>>> --
>>> To post to this group, send email to
>>> Please visit for the latest news about Snort!
>> --
>> To post to this group, send email to
>> Please visit for the latest news about Snort!
> --
> To post to this group, send email to
> Please visit for the latest news about Snort!

The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.

Snort-users mailing list
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit to stay current on all the latest Snort news!