Snort mailing list archives
Re: stream5 tcp session without 3-say handshake overload
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 12 Aug 2014 23:51:49 +0000
I think what you want is: "http://manual.snort.org/node206.html” -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
On Aug 12, 2014, at 4:08 PM, Robert Millott <robm () millottandassociates com> wrote: All I am getting so many alerts in my logs it fill up /var/log/message and shut down snort. The alert I see most is stream5: TCP session without 3-way handshake. I googled it, and everything I find on the "Check_session_hijacking" says "The default is set to off". I am not sure why I am getting all these alert if the default is to off, but more importantly, how do I actually disable it? I am fairly sure I know why I am getting them, and that will take a longer time to fix, so I just need to disable this alert. My snort.conf does not have anything about session_hijacking in it, so I"m not sure If I just need to add a line to disable it or what. Details: Gentoo 3.14.4 Snort 2.9.6.0 GRE (build 47) Barnyard: 2.1.13 (build 327) snort is outputting to /var/log/snort.u2 which barnyard is reading and writing to /var/log/messages snort.conf: output unified2: filename snort1.u2, limit 128 barnyard.conf : output log_syslog_full: sensor_name xxxxxxx, local, log_priority log_alert, operation_mode default Any help would be greatly appreciated -- Robert Millott President, Millott and Associates (443) 255-3588 ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- stream5 tcp session without 3-say handshake overload Robert Millott (Aug 12)
- Re: stream5 tcp session without 3-say handshake overload Joel Esler (jesler) (Aug 12)