Snort mailing list archives
Re: snort-decoder
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 12 May 2003 14:09:10 -0400
At 09:51 AM 5/12/2003 -0400, John Hally wrote:
I'm getting pummeled by these alerts (23,000+ this weekend) which have to be false positives, but I can't figure out a way to disable it short of shutting off the sensor. Can anyone give me a little insight as to disable this alert, or why I'm getting so many?: #(9 - 66761) [2003-05-12 13:46:36] [snort/56] (snort_decoder): T/TCP
google is your friend, try it sometime, really: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=snort+t%2Ftcp&sa=N&tab=wg in summary:T/TCP is the TCP for Transactions protocol. It's an optimized protocol loosely based on TCP that's designed around "get this" "get that" type transfers, such as HTTP. It winds up greatly reducing the overhead of generating 100 new TCP connections just to fetch the contents of a web page that contains 100 images.
This rule mostly exists to inform people that T/TCP is flowing past the snort sensor, and T/TCP is a protocol that isn't always thought of when designing firewall or snort rules.
You can disable these alerts with the following directive: config disable_ttcp_alertsHere's a short clip from a post by Richard Bejtlich which contains some good links to information on T/TCP (it's the first post in the google search I linked above)
--------------- For those who want more than my simplistic rendition of the protocol, see RFC 1379 (http://www.faqs.org/rfcs/rfc1379.html). Other resources include: T/TCP home page: http://www.kohala.com/start/ttcp.html 1998 Phrack Article by Route: http://www.phrack.com/show.php?p=53&a=6 ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-decoder John Hally (May 09)
- <Possible follow-ups>
- snort-decoder John Hally (May 12)
- Re: snort-decoder Matt Kettler (May 12)