[Snort-devel] spp_stream4 and retransmissions

Martin Roesch roesch at ...402...
Tue Jul 24 09:02:32 EDT 2001


This is a repeat, but...

Update to the latest beta
(http://www.snort.org/files/snort-1.8.1-beta4.tar.gz), tcp state
problems have to be explicitly turned on (option
"detect_state_problems") in the latest version.

     -Marty

Pawel Krawczyk wrote:
> 
> I'm using spp_stream4 and get huge amounts of 'possible retransmission
> detection' errors on legitimate traffic. The same happens with 'WINDOW
> VIOLATION' error. What is interesting, that the errors only seem to
> happen for this specific hosts and this specific traffic - for WINDOW
> it's 995 (POP3/SSL) traffic from my home machine to our work gateway.
> With retransmission I've seen it mostly from an academic FTP server
> in our city. Both are `legal' and I can easily reproduce this behavior
> on Snort CVS snapshot.
> 
> The systems involved are two Linux 2.4.6 (217.96.88.193 and 62.121.128.113)
> with stuff like SACK, FACK and ECN enabled and one unknown Unix, probably
> HP-UX (149.156.4.11). Any suggestions what could be broken here?
> 
> [**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
> 07/24-10:19:28.603733 149.156.4.11:20 -> 217.96.88.193:3158
> TCP TTL:57 TOS:0x8 ID:4668 IpLen:20 DgmLen:1500 DF
> ***AP*** Seq: 0x6B30E464  Ack: 0x80BBF93B  Win: 0xE000  TcpLen: 20
> 
> [**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
> 07/24-10:19:36.694096 149.156.4.11:20 -> 217.96.88.193:3158
> TCP TTL:57 TOS:0x8 ID:4892 IpLen:20 DgmLen:1500 DF
> ***AP*** Seq: 0x6B359D6C  Ack: 0x80BBF93B  Win: 0xE000  TcpLen: 20
> 
> [**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
> 07/24-06:00:44.952458 62.121.128.113:1427 -> 217.96.88.194:995
> TCP TTL:54 TOS:0x2 ID:37652 IpLen:20 DgmLen:182 DF
> ***AP*** Seq: 0x197D861D  Ack: 0x1A303E78  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 2168093 29386119
> 
> [**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
> 07/24-06:00:47.528036 62.121.128.113:1427 -> 217.96.88.194:995
> TCP TTL:55 TOS:0x2 ID:37655 IpLen:20 DgmLen:242 DF
> ***AP*** Seq: 0x197D869F  Ack: 0x1A30416E  Win: 0x1D50  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 2168343 29386359
> 
> --
> Pawe³ Krawczyk *** home: <http://ceti.pl/~kravietz/>
> security: <http://ipsec.pl/>  *** fidonet: 2:486/23
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list