[Snort-devel] Odd behaviour of spp_stream4 "TCP checksum changed on retransmission" alert in Snort 2.0.0rc1

Pearce, Rob D Rob.D.Pearce at ...1901...
Wed Apr 2 05:29:48 EST 2003


Hi,

I've just started doing some testing with Snort v2.0.0rc1 and I've
noticed something strange which I thought was worth reporting - the "TCP
checksum changed on retransmission (possible fragroute) detection" alert
seems to be being triggered by packets where the _IP_ checksum has
changed, rather than the TCP checksum - thus when packets are
retransmitted with new IP IDs (and thus new IP checksums) this alert is
being triggered, despite the TCP checksum remaining the same.

Packet captures of the packets in question are as follows (IP addresses
and some data removed):

First packet:
[**] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible
fragroute) detection [**]
04/01-23:30:06.887461 x.x.x.x:25 -> y.y.y.y:54667
TCP TTL:52 TOS:0x0 ID:55684 IpLen:20 DgmLen:66 DF
***AP**F Seq: 0xE7D37CC8  Ack: 0xE6188AF4  Win: 0xE100  TcpLen: 20
0x0000: 08 00 20 81 E3 75 00 E0 1E 33 B9 F8 08 00 45 00  ..
..u...3....E.
0x0010: 00 42 D9 84 40 00 34 06 5B CC xx xx xx xx yy yy
.B.. at ...299...[..'....
0x0020: yy yy 00 19 D5 8B E7 D3 7C C8 E6 18 8A F4 50 19
.2......|.....P.
0x0030: E1 00 5D 6F 00 00 32 32 30 20 48 65 6C 6C 6F 20  ..]o..220 Hello


Second packet:
[**] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible
fragroute) detection [**]
04/01-23:31:10.891615 x.x.x.x:25 -> y.y.y.y:54667
TCP TTL:52 TOS:0x0 ID:398 IpLen:20 DgmLen:66 DF
***AP**F Seq: 0xE7D37CC8  Ack: 0xE6188AF4  Win: 0xE100  TcpLen: 20
0x0000: 08 00 20 81 E3 75 00 E0 1E 33 B9 F8 08 00 45 00  ..
..u...3....E.
0x0010: 00 42 01 8E 40 00 34 06 33 C3 xx xx xx xx yy yy
.B.. at ...1902...'....
0x0020: yy yy 00 19 D5 8B E7 D3 7C C8 E6 18 8A F4 50 19
.2......|.....P.
0x0030: E1 00 5D 6F 00 00 32 32 30 20 48 65 6C 6C 6F 20  ..]o..220 Hello


The system I'm running it on is:

Architecture:      x86 PentiumII
OS:                Linux 2.2.14-12
Snort version:     2.0.0rc1
Preprocessors:     frag2, stream4, http_decode, bo, telnet_decode,
portscan
Rules:             Those from
http://www.snort.org/downloads/snortrules.tar.gz
Output plugins:    alert_syslog
Commandline:       snort -d -c /opt/snort/config/snort.conf
Snort error msgs:  N/A

Is this the expected behaviour or something which shouldn't be
happening?

Regards,
Rob Pearce
Telstra InterNetworking Solutions
ACT Firewall Team




More information about the Snort-devel mailing list