snort-users October 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] [Snort-Users] BAD-TRAFFIC small o

Re: [Snort-users] [Snort-Users] BAD-TRAFFIC small or zero-sized tcp window

From: Kevin Ross <kevross33_at_nospam>
Date: Wed Oct 26 2011 - 18:32:19 GMT
To: snortusers@googlegroups.com, snort-users@lists.sourceforge.net

If you change this:

preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180

this this:

preprocessor stream5_tcp: policy windows, require_3whs 180

and restart snort it will not alert you on that.

Regards,
Kevin Ross

On 26 October 2011 15:54, Anton Zaytsev <anton.zajtsev@gmail.com> wrote:

> Thanks for the quick reply.
> As I understand correctly stream5 is preprocessor and this message is
> generating by rule. How does they cooperate with each other? What should I
> remove in stream5?
> I cant use suppress rules because I don't know every peer IP address.
> I'd like to disable this messages so that will not affect not false
> positive situations. Maybe it's better to disable completely analyzing
> torrent traffic?
>
> Thanks
>
> On Wed, Oct 26, 2011 at 5:25 PM, Kevin Ross <kevross33@googlemail.com>wrote:
>
>> You can either use threshold.conf to supress it or remove the
>> detect_anomalies (or whatever it is) from stream5 configuration in your
>> snort.conf (it will be in the tcp line, you will spot it. Read the snort
>> manual or stream5 if you want to make sure you remove it correctly so stream
>> 5 is the same (basically if it is like option, option option, remove option
>> , to make sure you don't get ,, or something silly).
>>
>>
>> suppress gen_id 1, sig_id 1839006, track by_src, ip 194.189.116.0/23
>>
>>
>> On 26 October 2011 15:19, Anton Zaytsev <anton.zajtsev@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I have plenty of this messages during torrent downloading.
>>> System is Centos5 and client rtorrent.
>>> Snort signature information <http://rootedyour.com/snortsid?sid=3:15912> says
>>> that
>>> "This event is generated when an attempt is made to exploit a known
>>> vulnerability in Microsoft Windows"
>>> and
>>> "False Positives: None known."
>>>
>>> Tell please, how can I get rid of them.
>>>
>>> Anton
>>>
>>> --
>>> To post to this group, send email to snortusers@googlegroups.com
>>>
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>> --
>> To post to this group, send email to snortusers@googlegroups.com
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
> --
> To post to this group, send email to snortusers@googlegroups.com
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!