Snort mailing list archives

Re: Stream preprocessor small segment port suppression


From: Russ <rucombs () cisco com>
Date: Thu, 21 Jul 2016 13:46:27 -0400

The rationale is that typically the traffic would be between a 
relatively slow human and a much quicker computer.  So the computer 
would tend to fill segments whereas the human would not.

You can suppress these events from a particular host if they are too noisy.

On 7/21/16 1:14 PM, Andrea Venturoli wrote:
Hello.

I've got another question about Stream preprocessor...

small_segments features an "ignore_ports" options; so, for example, I
could put the following in my config:

small_segments 5 bytes 100 ignore_ports 23

The idea is that the telnet protocol will often use small packets, so
I'll just have snort live with it and don't overwhelm me with such alerts.

However, I found out that only the destination port will be taken into
account, so packets traveling from client to server will get ignored,
but packets flying from server to client (random port here!) will still
trigger the alert.

Of course "telnet" is just an example, I'm also seeing this with SSH,
NFS, VPNs, etc...



I'm wondering why only the destination port is taken into account, since
I can't see the rationale behind this choice.
Or maybe I'm doing something wrong, missing some other option,
forgetting some other thing?


   bye & Thanks
      av.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Current thread: