Suppressing Stream5 preprocessor - not working

[Gordon Wallum]

Hello,

Our Security Onion deployment is being flooded with Stream5 preprocessor alert 129 || 20 || stream5: TCP session without 3-way handshake. I have tried to disable/suppress with no success

• I have tried using threshold.conf and disabledsid.conf

Below is my threshold.conf configuration

• suppress gen_id 129, sig_id 20

Sostat-redacted is attached. Any help would be appreciated!

Gordon

[Tom Wood]

Hi,

check this thread from earlier today

https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/security-onion/orQnlA5ddik/X5tg2suyBQAJ

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/4f21c90a-6097-4c87-b7ab-19ae0f1253d2%40googlegroups.com.

[Steven J]

Hi Gordon,

For other gen_id:129 rules, I am using

suppress gen_id 129, sig_id 15, track by_src, ip 172.16.1.0/16

At the same time, where these events have been flooding most installations, there could be a backlog of events that have not been processed yet.  Even though you have suppressed future alerts, the backlog is still likely being pushed through.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/bfff7d36-ceb3-e50b-90be-838aa811176d%40gmail.com.

[Gordon Wallum]

Thanks Steven,

The resolution was to clear the back log. Was flooded with events

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAKHG%3D-Kyv9snqFL0YLpaH2X0fOc1HryFd%3DoOh_MPr97RHv204w%40mail.gmail.com.

[Steven J]

Glad you sorted it :-)

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHs9D0sT1a13d9c%2BBKMjRbZt%3DaZKRe4J_dJcacLKZUrehMKyYA%40mail.gmail.com.