Snort mailing list archives
Re: Stream preprocessor small segment port suppression
From: Russ <rucombs () cisco com>
Date: Thu, 21 Jul 2016 13:46:27 -0400
The rationale is that typically the traffic would be between a relatively slow human and a much quicker computer. So the computer would tend to fill segments whereas the human would not. You can suppress these events from a particular host if they are too noisy. On 7/21/16 1:14 PM, Andrea Venturoli wrote:
Hello. I've got another question about Stream preprocessor... small_segments features an "ignore_ports" options; so, for example, I could put the following in my config: small_segments 5 bytes 100 ignore_ports 23 The idea is that the telnet protocol will often use small packets, so I'll just have snort live with it and don't overwhelm me with such alerts. However, I found out that only the destination port will be taken into account, so packets traveling from client to server will get ignored, but packets flying from server to client (random port here!) will still trigger the alert. Of course "telnet" is just an example, I'm also seeing this with SSH, NFS, VPNs, etc... I'm wondering why only the destination port is taken into account, since I can't see the rationale behind this choice. Or maybe I'm doing something wrong, missing some other option, forgetting some other thing? bye & Thanks av. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Stream preprocessor small segment port suppression Andrea Venturoli (Jul 21)
- Re: Stream preprocessor small segment port suppression Russ (Jul 21)