[Snort-devel] Stream4 Questions

Erek Adams erek at ...105...
Mon Jul 9 10:23:50 EDT 2001

Wonderful bit of coding Marty!  If you keep this up, commercial vendors will
start to hate you.  :)

I'm seeing a lot of these:

WARNING: Fishy TWH from client (0xCE0E854C:2727->0x188D118D:1214) (ack:
0x28DED45  isn: 0x0)

Since the isn was 0, this got flagged?

WARNING: Got unexpected SYN ACK from server!
expected: 0x4B9ABCCA   received: 0x60EA

Since "/* we got a fucked up response from the server */" the isn is again the
culprit for this?

And if anyone has never noticed the comments--You really should! :]

Also, it seems to be screaming alot about a napster clone called Morpheus.
I'm working on some more info on it...  At this point, all I know it's name.

[**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
07/09/01-00:00:59.361098 XXX.XX.XXX.XX:1214 ->
TCP TTL:128 TOS:0x0 ID:12573 IpLen:20 DgmLen:82 DF
***AP*** Seq: 0xADC61  Ack: 0x1410C1B  Win: 0x207F  TcpLen: 20

[**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
07/09/01-00:01:35.927303 XXX.XX.XXX.XX:1214 ->
TCP TTL:128 TOS:0x0 ID:49182 IpLen:20 DgmLen:576 DF
***A**** Seq: 0xA7EBF  Ack: 0x13F6238  Win: 0x2075  TcpLen: 20

Any tuning suggestions to get rid of these?

Erek Adams

More information about the Snort-devel mailing list