Snort mailing list archives
Re: Can't alert on most
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Mar 2014 07:25:31 -0500
On 3/3/2014 9:48 PM, Michael Wisniewski wrote:
...and there's some other alerts, but the TCP small segments are the ones that dominate the log. I can do a nmap scan from offsite and all I see are the above alert; nothing about a portscan. Does anybody know why I'm seeing this? In the conf file, I have pretty much all stock (except for the paths). Is there something else that needs to be enabled in order to see the proper alerts?
it really isn't about seeing "the proper alerts"... the small segments alerts are proper alerts... the question is how do you want to solve it... there are several ways... one way is to disable the rule by commenting it out in the preprocessor rules file... another way is to threshold the rule... but tuning your snort.conf's stream5_tcp small_segments settings or removing the small_segments settings portion of the config would probably be better... IMO, the former is the preferred with the latter and others being (extreme) last resort methods... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can't alert on most Michael Wisniewski (Mar 03)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most Michael Wisniewski (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Doug Burks (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Gierczak, Stan (Mar 28)
- Re: Can't alert on most waldo kitty (Mar 28)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 05)
- Re: Can't alert on most waldo kitty (Mar 04)