Snort mailing list archives
Stream preprocessor 3WHS port suppression
From: Andrea Venturoli <ml () netfence it>
Date: Thu, 7 Jul 2016 11:22:52 +0200
Hello. Please forgive is this is a nooby question... I've got a box which is triggering tons of
[129:20:1] TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.2.13:2049 -> 10.1.2.15:989
That stream is due to an NFS mount, so it will always start before Snort, and Snort will never see the handshake. From README.stream5, the only argument to "require_3whs" is a delay, which won't help in this case. Is it possible to suppress this check on a given set of ports (2049 in my case), like "ignore_ports" does for "small_segments"? bye & Thanks av. ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Stream preprocessor 3WHS port suppression Andrea Venturoli (Jul 07)
- Message not available
- Re: Stream preprocessor 3WHS port suppression Andrea Venturoli (Jul 07)
- Re: Stream preprocessor 3WHS port suppression Andrea Venturoli (Jul 13)
- Re: Stream preprocessor 3WHS port suppression wkitty42 (Jul 13)
- Re: Stream preprocessor 3WHS port suppression Andrea Venturoli (Jul 07)
- Message not available