Snort mailing list archives

Re: snort-decoder

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 12 May 2003 14:09:10 -0400

At 09:51 AM 5/12/2003 -0400, John Hally wrote:

I'm getting pummeled by these alerts (23,000+ this weekend) which have to be
false positives, but I can't figure out a way to disable  it short of
shutting off the sensor.  Can anyone give me a little insight as to disable
this alert, or why I'm getting so many?:




#(9 - 66761) [2003-05-12 13:46:36] [snort/56]  (snort_decoder): T/TCP


google is your friend, try it sometime, really:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=snort+t%2Ftcp&sa=N&tab=wg

in summary:

T/TCP is the TCP for Transactions protocol. It's an optimized protocolloosely based on TCP that's designed around "get this" "get that" typetransfers, such as HTTP. It winds up greatly reducing the overhead ofgenerating 100 new TCP connections just to fetch the contents of a web pagethat contains 100 images.

This rule mostly exists to inform people that T/TCP is flowing past thesnort sensor, and T/TCP is a protocol that isn't always thought of whendesigning firewall or snort rules.


You can disable these alerts with the following directive:

config disable_ttcp_alerts

Here's a short clip from a post by Richard Bejtlich which contains somegood links to information on T/TCP (it's the first post in the googlesearch I linked above)

---------------
For those who want more than my simplistic rendition
of the protocol, see RFC 1379
(http://www.faqs.org/rfcs/rfc1379.html).

Other resources include:

T/TCP home page:

http://www.kohala.com/start/ttcp.html

1998 Phrack Article by Route:

http://www.phrack.com/show.php?p=53&a=6





-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-decoder John Hally (May 09)
- <Possible follow-ups>
- snort-decoder John Hally (May 12)
- Re: snort-decoder Matt Kettler (May 12)