[Snort-devel] another stream4 problem

Martin Roesch roesch at ...402...
Mon Jul 2 09:42:28 EDT 2001

It probably means that I need to tune things a little more. :)  Some (a
lot) of the activity that it's detecting is probably bogus, but I find
those WINDOW VIOLATION alerts interesting.  What's the primary platform
on your network?  I'm going to tune the STEALTH ACTIVITY alerts today to
not pop for certain things, and I'm also going to fix the code so that
you can actually turn the alerts off. :)

> spp_stream4: STEALTH ACTIVITY detection      16814 (12%)

STEALTH ACTIVITY = bad flags when the stream was picked up (like SYN
FIN, naked RST, naked FIN, etc).  I've got to tune this one.

> spp_stream4: EVASIVE RST detection      3172 (2%)

A RST packet for a session came in and its sequence number was either
outside of the window or below the last ack received from the other side
of the connection.

> spp_stream4: EVASIVE RETRANSMISSION detection      4491 (3%)

This is where a packet shows up with a sequence number that's below the
last ack'd number.

> spp_stream4: WINDOW VIOLATION detection      55097 (40%)

You get these when Snort sees data in a packet that goes outside the
current window size for the session.

> what does this all mean? (dont tell me that it's normal and that my
> servers have stupid MS tcp/ip stack - they do not (at least most of
> them) :) )

Bear with me, this thing is still in beta... :)


Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org

More information about the Snort-devel mailing list