[Snort-devel] Snort v2 pb ?

rmkml rmkml at ...1042...
Fri Apr 18 10:29:11 EDT 2003


Hi All,

I receive this trafic this morning ... (join file)

Yes, I have p2p on web (80) port on this file ...

I use temporarily,
snort 191b234
and
snort 200b72

old snort event this :
04/18-03:43:18.249049  [**] [111:17:1] (spp_stream4) TCP TOO FAST
RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
[**] {TCP} 80.14.9.220:2908 -> 65.81.134.164:80
04/18-03:43:18.278843  [**] [111:18:1] (spp_stream4) Multiple Acked
Packets (possible fragroute) [**] {TCP} 80.14.9.220:2908 ->
65.81.134.164:80

and new snort (v2) event this :
04/18-03:43:18.249049  [**] [111:17:1] (spp_stream4) TCP TOO FAST
RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
[**] {TCP} 80.14.9.220:2908 -> 65.81.134.164:80

New version drop event "Multiple Acked Packets..." ?

but I am found this event in src/generators.h in line 215 ...

Here my conf stream4 in old snort (1.9) is equal to new snort (2.0) :
preprocessor stream4: detect_scans, detect_state_problems, memcap
67108864

and view trafic with tcpdump on snort timestamp event :

03:43:15.772377 65.81.134.164.80 > 80.14.9.220.2908: P [tcp sum ok]
1635914720:1635914766(46) ack 2366825561 win 64161 <nop,nop,timestamp
2518874 230704787> (DF) (ttl 111, id 40788, len 98)
03:43:15.772407 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
2366825561:2366825561(0) ack 1635914766 win 5840 <nop,nop,timestamp
230704814 2518874> (DF) (ttl 64, id 41387, len 52)
03:43:16.660730 80.14.9.220.2908 > 65.81.134.164.80: P [tcp sum ok]
2366825561:2366825873(312) ack 1635914766 win 5840 <nop,nop,timestamp
230704903 2518874> (DF) (ttl 64, id 41388, len 364)
03:43:17.055132 65.81.134.164.80 > 80.14.9.220.2908: . [tcp sum ok]
1635914766:1635914766(0) ack 2366825873 win 63849 <nop,nop,timestamp
2518888 230704903> (DF) (ttl 111, id 40823, len 52)
03:43:17.055311 80.14.9.220.2908 > 65.81.134.164.80: P [tcp sum ok]
2366825873:2366827129(1256) ack 1635914766 win 5840 <nop,nop,timestamp
230704942 2518888> (DF) (ttl 64, id 41389, len 1308)
03:43:17.506911 65.81.134.164.80 > 80.14.9.220.2908: . [tcp sum ok]
1635914766:1635914766(0) ack 2366827129 win 64240 <nop,nop,timestamp
2518893 230704942> (DF) (ttl 111, id 40834, len 52)
03:43:17.860425 80.14.9.220.2908 > 65.81.134.164.80: P [tcp sum ok]
2366827129:2366827187(58) ack 1635914766 win 5840 <nop,nop,timestamp
230705023 2518893> (DF) (ttl 64, id 41390, len 110)
03:43:18.020663 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
2366827187:2366828635(1448) ack 1635914766 win 5840 <nop,nop,timestamp
230705039 2518893> (DF) (ttl 64, id 41391, len 1500)
03:43:18.249049 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
2366827187:2366828627(1440) ack 1635914766 win 5840 <nop,nop,timestamp
230705061 2518893> (DF) (ttl 64, id 41392, len 1492)
03:43:18.278814 65.81.134.164.80 > 80.14.9.220.2908: . [tcp sum ok]
1635914766:1635914766(0) ack 2366827187 win 64182 <nop,nop,timestamp
2518900 230705023> (DF) (ttl 111, id 40855, len 52)
03:43:18.278843 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
2366828627:2366828635(8) ack 1635914766 win 5840 <nop,nop,timestamp
230705064 2518900> (DF) (ttl 64, id 41393, len 60)
...

We confirm "multiple Ack Packets" on this trace ?

I look this trafic with ethereal (0.9.11) and ethereal event "tcp
Retransmission" on two timestamp :
03:43:18.249049
03:43:18.278843

bug in old snort ?

or bug in new snort ?

Thanks for your help and comments and others ...

Regard.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 65.81.134.164-pbsnortstream4.tcpdump.gz
Type: application/x-gzip
Size: 104634 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030418/6219d07e/attachment.bin>


More information about the Snort-devel mailing list