Snort mailing list archives
Re: too many Alerts (129:12:0)---more than 7000 alerts /per day
From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Thu, 30 Dec 2010 10:23:41 -0500
If your compiled with --enable-decoder-preprocessor-rules, and are using the preprocessor.rules file you can just comment out the rule there. Additionally, if you are seeing lots of small segments it sounds like you might be looking at a lot of File server / NFS traffic. Does it all come from a few locations? Cheers, -matt On Thu, Dec 30, 2010 at 2:07 AM, Jun Wan <junwei_wan () hotmail com> wrote:
Happy 2011 (almost) to all, My Snort 2.8.6.0 is running on Ubuntu 10.04 (32bit) with Snort Report 1.3.1. There were 7000~10000 alerts (129:12:0) everyday, it slowed down Snort Report to load data, so I did the following in threshold.conf and tried to reduce the number of the alerts: threshold gen_id 129, sig_id 12, type limit, track by_src, count 1, seconds 60 Not much improvement (still 7000 + alerts (129:12:0) perday), then I did the follwing in Snort.conf: From: preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 100, timeout 180, To: preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 20, small_segments 6 bytes 250, timeout 180, But Snort is still producing 7000+ alerts (129:12:0) everyday, not sure what I did above is a right way to reduce the number of these alerts. Any suggestion to reduce the number of these alerts would be much appreciated. Thanks Regards John ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- too many Alerts (129:12:0)---more than 7000 alerts /per day Jun Wan (Dec 29)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day James Lay (Dec 30)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day Jun Wan (Dec 31)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day Matt Watchinski (Dec 30)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day Jun Wan (Dec 31)
- Re: too many Alerts (129:12:0)---more than 7000 alerts /per day James Lay (Dec 30)