[Snort-devel] Re: Snort v2 pb ?

rmkml rmkml at ...1042...
Tue Apr 22 13:14:27 EDT 2003


could you help me please ?


rmkml wrote:

> Hi All,
>
> I receive this trafic this morning ... (join file)
>
> Yes, I have p2p on web (80) port on this file ...
>
> I use temporarily,
> snort 191b234
> and
> snort 200b72
>
> old snort event this :
> 04/18-03:43:18.249049  [**] [111:17:1] (spp_stream4) TCP TOO FAST
> RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
> [**] {TCP} 80.14.9.220:2908 -> 65.81.134.164:80
> 04/18-03:43:18.278843  [**] [111:18:1] (spp_stream4) Multiple Acked
> Packets (possible fragroute) [**] {TCP} 80.14.9.220:2908 ->
> 65.81.134.164:80
>
> and new snort (v2) event this :
> 04/18-03:43:18.249049  [**] [111:17:1] (spp_stream4) TCP TOO FAST
> RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
> [**] {TCP} 80.14.9.220:2908 -> 65.81.134.164:80
>
> New version drop event "Multiple Acked Packets..." ?
>
> but I am found this event in src/generators.h in line 215 ...
>
> Here my conf stream4 in old snort (1.9) is equal to new snort (2.0) :
> preprocessor stream4: detect_scans, detect_state_problems, memcap
> 67108864
>
> and view trafic with tcpdump on snort timestamp event :
>
> 03:43:15.772377 65.81.134.164.80 > 80.14.9.220.2908: P [tcp sum ok]
> 1635914720:1635914766(46) ack 2366825561 win 64161 <nop,nop,timestamp
> 2518874 230704787> (DF) (ttl 111, id 40788, len 98)
> 03:43:15.772407 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
> 2366825561:2366825561(0) ack 1635914766 win 5840 <nop,nop,timestamp
> 230704814 2518874> (DF) (ttl 64, id 41387, len 52)
> 03:43:16.660730 80.14.9.220.2908 > 65.81.134.164.80: P [tcp sum ok]
> 2366825561:2366825873(312) ack 1635914766 win 5840 <nop,nop,timestamp
> 230704903 2518874> (DF) (ttl 64, id 41388, len 364)
> 03:43:17.055132 65.81.134.164.80 > 80.14.9.220.2908: . [tcp sum ok]
> 1635914766:1635914766(0) ack 2366825873 win 63849 <nop,nop,timestamp
> 2518888 230704903> (DF) (ttl 111, id 40823, len 52)
> 03:43:17.055311 80.14.9.220.2908 > 65.81.134.164.80: P [tcp sum ok]
> 2366825873:2366827129(1256) ack 1635914766 win 5840 <nop,nop,timestamp
> 230704942 2518888> (DF) (ttl 64, id 41389, len 1308)
> 03:43:17.506911 65.81.134.164.80 > 80.14.9.220.2908: . [tcp sum ok]
> 1635914766:1635914766(0) ack 2366827129 win 64240 <nop,nop,timestamp
> 2518893 230704942> (DF) (ttl 111, id 40834, len 52)
> 03:43:17.860425 80.14.9.220.2908 > 65.81.134.164.80: P [tcp sum ok]
> 2366827129:2366827187(58) ack 1635914766 win 5840 <nop,nop,timestamp
> 230705023 2518893> (DF) (ttl 64, id 41390, len 110)
> 03:43:18.020663 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
> 2366827187:2366828635(1448) ack 1635914766 win 5840 <nop,nop,timestamp
> 230705039 2518893> (DF) (ttl 64, id 41391, len 1500)
> 03:43:18.249049 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
> 2366827187:2366828627(1440) ack 1635914766 win 5840 <nop,nop,timestamp
> 230705061 2518893> (DF) (ttl 64, id 41392, len 1492)
> 03:43:18.278814 65.81.134.164.80 > 80.14.9.220.2908: . [tcp sum ok]
> 1635914766:1635914766(0) ack 2366827187 win 64182 <nop,nop,timestamp
> 2518900 230705023> (DF) (ttl 111, id 40855, len 52)
> 03:43:18.278843 80.14.9.220.2908 > 65.81.134.164.80: . [tcp sum ok]
> 2366828627:2366828635(8) ack 1635914766 win 5840 <nop,nop,timestamp
> 230705064 2518900> (DF) (ttl 64, id 41393, len 60)
> ...
>
> We confirm "multiple Ack Packets" on this trace ?
>
> I look this trafic with ethereal (0.9.11) and ethereal event "tcp
> Retransmission" on two timestamp :
> 03:43:18.249049
> 03:43:18.278843
>
> bug in old snort ?
>
> or bug in new snort ?
>
> Thanks for your help and comments and others ...
>
> Regard.
>
>   ------------------------------------------------------------------------
>                                               Name: 65.81.134.164-pbsnortstream4.tcpdump.gz
>    65.81.134.164-pbsnortstream4.tcpdump.gz    Type: application/x-gzip
>                                           Encoding: base64





More information about the Snort-devel mailing list