[Snort-devel] spp_stream4 and retransmissions

Pawel Krawczyk kravietz at ...564...
Tue Jul 24 04:25:39 EDT 2001


I'm using spp_stream4 and get huge amounts of 'possible retransmission
detection' errors on legitimate traffic. The same happens with 'WINDOW
VIOLATION' error. What is interesting, that the errors only seem to
happen for this specific hosts and this specific traffic - for WINDOW
it's 995 (POP3/SSL) traffic from my home machine to our work gateway.
With retransmission I've seen it mostly from an academic FTP server
in our city. Both are `legal' and I can easily reproduce this behavior
on Snort CVS snapshot.

The systems involved are two Linux 2.4.6 (217.96.88.193 and 62.121.128.113)
with stuff like SACK, FACK and ECN enabled and one unknown Unix, probably
HP-UX (149.156.4.11). Any suggestions what could be broken here?

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
07/24-10:19:28.603733 149.156.4.11:20 -> 217.96.88.193:3158
TCP TTL:57 TOS:0x8 ID:4668 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x6B30E464  Ack: 0x80BBF93B  Win: 0xE000  TcpLen: 20

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
07/24-10:19:36.694096 149.156.4.11:20 -> 217.96.88.193:3158
TCP TTL:57 TOS:0x8 ID:4892 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x6B359D6C  Ack: 0x80BBF93B  Win: 0xE000  TcpLen: 20

[**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
07/24-06:00:44.952458 62.121.128.113:1427 -> 217.96.88.194:995
TCP TTL:54 TOS:0x2 ID:37652 IpLen:20 DgmLen:182 DF
***AP*** Seq: 0x197D861D  Ack: 0x1A303E78  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2168093 29386119

[**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
07/24-06:00:47.528036 62.121.128.113:1427 -> 217.96.88.194:995
TCP TTL:55 TOS:0x2 ID:37655 IpLen:20 DgmLen:242 DF
***AP*** Seq: 0x197D869F  Ack: 0x1A30416E  Win: 0x1D50  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2168343 29386359

-- 
Pawe³ Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23




More information about the Snort-devel mailing list