Snort mailing list archives
too many stream5_tcp alerts
From: carlopmart <carlopmart () gmail com>
Date: Wed, 16 Mar 2011 18:56:37 +0100
Hi all, I have a problem with my strem5_tcp policy. I have deployed a snort 2.9.0.4 sensor on a management network on resides two stonegate firewalls and one stonegate management center. Immedialty after snort is up, a lot of errors are displayed: 03/14-23:54:55.602720 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:54:58.105021 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:54:59.376684 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:01.376577 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:02.900976 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:03.900766 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:06.900231 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:06.900264 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:09.414888 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:10.414745 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:12.939057 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:13.939108 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:15.938212 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:17.950416 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:19.465618 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:20.955753 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:22.977765 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:24.979543 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:25.976063 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:28.497646 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:29.505225 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:32.015094 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:33.015073 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:36.014742 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:36.014790 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:39.529009 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:39.529053 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:43.052674 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:43.052682 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:47.051340 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:47.051363 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:50.566954 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:50.567034 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:54.090381 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:54.090472 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:55:58.093992 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:55:58.094003 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:01.107685 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:01.107725 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:04.387497 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:05.387408 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:08.398691 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:08.398717 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:11.388473 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:12.425792 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:15.425487 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:16.425734 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:19.424430 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:19.424511 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:22.464564 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:23.463572 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 03/14-23:56:26.462722 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.5:40151 03/14-23:56:27.470190 [**] [129:12:1] stream5: TCP Small Segment Threshold Exceeded [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.34.3:3020 -> 192.168.34.6:50711 192.168.34.3 is the stonegate management center, and firewalls are 192.168.34.5 and 192.168.34.6. My stream5_tcp policy is configured like this: preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 min_response_seconds 5 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150 ignore_ports 3020 8905, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \ 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 80 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 5250 6907 7001 7702 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ 7917 7918 7919 7920 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 I have added under small_segments stonegate's administration ports: 3020 and 8905 as a ignored ports, without luck .. What i am doing wrong under stream5_tcp policy?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- too many stream5_tcp alerts carlopmart (Mar 16)