[Snort-users] Stream preprocessor 3WHS port suppression

[Andrea Venturoli]

Hello.

Please forgive is this is a nooby question...

I've got a box which is triggering tons of
> [129:20:1] TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.1.2.13:2049 -> 10.1.2.15:989

That stream is due to an NFS mount, so it will always start before
Snort, and Snort will never see the handshake.

From README.stream5, the only argument to "require_3whs" is a delay,
which won't help in this case.

Is it possible to suppress this check on a given set of ports (2049 in
my case), like "ignore_ports" does for "small_segments"?

bye & Thanks
av.

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[Andrea Venturoli]

On 07/07/16 12:20, Rafael Paris wrote:
> Hello.
> With threshold.conf you can ignore completely that signature by ip_src
> or ip_dst.

I know (although I thought it was deprecated in favour of an equivalent
"suppress" rule).



> I don't think there's an option to ignore the ports as well.

Is there a reason behind that?
I mean, would it be sensible to support filtering by port or would that
be illogical for whatever reason I'm not aware of?

[Andrea Venturoli]

On 07/07/16 13:27, Andrea Venturoli wrote:

>> I don't think there's an option to ignore the ports as well.
>
> Is there a reason behind that?
> I mean, would it be sensible to support filtering by port or would that
> be illogical for whatever reason I'm not aware of?

Since I got no answer, I guess there is no reason *not* to have this
option; so I patched the source code and I think it's working.

In case someone is interested or cares to double-check, the diffs can be
downloaded from
http://netfence.it/download/snort_3whs_ignore_port_patch.tbz

bye
av.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

[wkit...@windstream.net]

On 07/13/2016 05:44 AM, Andrea Venturoli wrote:
> On 07/07/16 13:27, Andrea Venturoli wrote:
>
>>> I don't think there's an option to ignore the ports as well.
>>
>> Is there a reason behind that?
>> I mean, would it be sensible to support filtering by port or would that
>> be illogical for whatever reason I'm not aware of?
>
> Since I got no answer, I guess there is no reason *not* to have this
> option; so I patched the source code and I think it's working.

ummm... did you try simply removing that option from the original conf line?
normally if you want to disable an option in those processors, you just remove
it...

--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.