Snort mailing list archives
Re: Anyone else seeing lots of 129 20 this am?
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Fri, 30 Aug 2019 19:55:13 +0000
We don’t make changes to preprocess it’s in a rule update. It’s possible that this alert may not have been included in the past and we just introduced it. That’s a possibility. But we didn’t change any code with this release. Sent from my iPhone
On Aug 30, 2019, at 15:42, Daniel Rieille <dan.rieille () gmail com> wrote: That's what we did. We got more than 250k of them today. Sguil server died. We had to delete those 250k alerts before being able to restart it successfully...Le ven. 30 août 2019 à 21:32, Joel Esler (jesler) via Snort-users <snort-users () lists snort org> a écrit : As you all know, however, that is a preprocessor alert. It may be as simple as shutting that preprocessor rule off? On 8/30/19, 2:17 PM, "Snort-users on behalf of Michael Steele" <snort-users-bounces () lists snort org on behalf of michaels () winsnort com> wrote: I noticed that too on the last Snort update. Getting a LOT more alerts. I also updated the rules at the same time and never went back to the old rules to see if that was where the change came in? WINSNORT.com Management Team Member -- ******************************************************** * Since 2002 ~~ Visit http://www.winsnort.com * ~~ FREE Windows installation Tutorials ~~ * ~~ FREE Support Forums ~~ * Snort: Open Source Network IDS - http://www.snort.org ******************************************************** -----Original Message----- From: Snort-users <snort-users-bounces () lists snort org> On Behalf Of James Lay via Snort-users Sent: Friday, August 30, 2019 11:26 AM To: Joel Esler (jesler) <jesler () cisco com> Cc: Snort <snort-users () lists snort org> Subject: Re: [Snort-users] Anyone else seeing lots of 129 20 this am? Something as in snort ;) Same traffic, a LOT more alerts right after updates. On 2019-08-30 09:23, Joel Esler (jesler) wrote: > When you say "something changed", do you mean "Snort" changed. Or > "attacker behavior" may be changing? > >> On Aug 30, 2019, at 8:13 AM, James Lay via Snort-users >> <snort-users () lists snort org> wrote: >> >> Yea something changed....I run ssh on a non-standard port and now I'm >> seeing: >> >> [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server response before >> client request >> >> after updating rules this AM: >> >> Aug 30 01:10:22 snort[31692]: Decoding Ethernet Aug 30 01:17:53 >> snort[31692]: [120:18:3] (http_inspect) PROTOCOL-OTHER HTTP server >> response before client request >> >> that http_inspect hit rule is the first time I've seen that in my >> logs....ever 😉 >> >> James >> >> On Fri, 2019-08-30 at 06:05 -0600, James Lay via Snort-users wrote: >> >>> Seeing massive amounts of [129:20:1] TCP session without 3-way >>> handshake this morning....seems to be firing off on RST packets. >>> >>> James >>> >>> <Screenshot from 2019-08-30 06-05-03.png> >>> >>> _______________________________________________ >>> >>> Snort-users mailing list >>> >>> Snort-users () lists snort org >>> >>> Go to this URL to change user options or unsubscribe: >>> >>> https://lists.snort.org/mailman/listinfo/snort-users >>> >>> To unsubscribe, send an email to: >>> >>> snort-users-leave () lists snort org >>> >>> Please visit http://blog.snort.org [1] to stay current on all the >>> latest Snort news! >>> >>> Please follow these rules: >>> https://snort.org/faq/what-is-the-mailing-list-etiquette >> >> _______________________________________________ >> Snort-users mailing list >> Snort-users () lists snort org >> Go to this URL to change user options or unsubscribe: >> https://lists.snort.org/mailman/listinfo/snort-users >> >> To unsubscribe, send an email to: >> snort-users-leave () lists snort org >> >> Please visit http://blog.snort.org to stay current on all the latest >> Snort news! >> >> Please follow these rules: >> https://snort.org/faq/what-is-the-mailing-list-etiquette > > > > Links: > ------ > [1] http://blog.snort.org/ _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Anyone else seeing lots of 129 20 this am?, (continued)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Michael Steele (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)