[Snort-devel] stream4 skipping packets on snort 2.0 (packets ARE being received)

Daniel OKeefe dokeefe_nh at ...398...
Wed Apr 30 05:50:14 EDT 2003


Hi

I'm a newbie working with Snort 2.0 on Win32.

I am trying to dump reassembled tcp streams that meet
certain content strings. Each stream is comprised of
around 3-4 datagrams. I have found some odd behavior
with the stream4 preprocessor.

The message streams are not being properly
reassembled. From the log, it appears that the last
packet is being jammed into the next message stream.
That is, packets 1,2 and 3 get reassembled, but packet
4 ends up in front of the next 1,2,3 ... etc.

I did some investigation by simply dumping the raw
packets and correlating the output from the stream4
process. I noticed that: 
1. all packets are being received. 
2. where the break point occurs I am receiving a
datagram with a single binary value in it (which may
be a re-ACK to re-establish a connection -
unfortunately I'm not that familiar with how IP
works). That very small datagram causes the stream to
be broken during assembly. 

Has anyone else seen this behavior,and does anyone
have a fix for it? I've included a sample of the raw
data, and the output from the stream4 reassembly.
////////////////////////////////////////////////////
This example is the raw packets (end of one, leading
through to start of next data packet):

...
20 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 20 43  
International C
6F 72 70 2E 20 2C 20 61 20 70 72 6F 76 69 64 65  orp.
, a provide
72 20 6F 66 20 69 6E 66 6F 72 6D 61 74 69 6F 6E  r of
information
20 74 65 63 68 6E 6F 6C                          
technol

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/30-08:41:12.251088 24.128.147.90:3584 ->
207.168.174.3:80
TCP TTL:128 TOS:0x0 ID:3597 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xB4947880  Ack: 0xB4920BD9  Win: 0x4470
 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/30-08:41:12.352424 207.168.174.3:80 ->
24.128.147.90:3584
TCP TTL:112 TOS:0x0 ID:46000 IpLen:20 DgmLen:258 DF
***AP*** Seq: 0xB4920BD9  Ack: 0xB4947880  Win: 0xF980
 TcpLen: 20
6F 67 79 20 73 65 72 76 69 63 65 73 20 66 6F 72  ogy
services for
20 68 6F 6D 65 6C 61 6E 64 20 64 65 66 65 6E 73  
homeland defens
65 2C 20 6F 6E 20 57 65 64 6E 65 73 64 61 79 20  e, on
Wednesday 
72 65 70 6F 72 74 65 64 20 68 69 67 68 65 72 20 
reported higher 
////////////////////////////////////////////////////

Note: this is a "broken" example - the content
continues from the end of one assembled stream into
the next:
...
20 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 20 43  
International C
6F 72 70 2E 20 2C 20 61 20 70 72 6F 76 69 64 65  orp.
, a provide
72 20 6F 66 20 69 6E 66 6F 72 6D 61 74 69 6F 6E  r of
information
20 74 65 63 68 6E 6F 6C                          
technol

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] XML detected [**]
04/30-08:46:57.206842 207.168.174.3:80 ->
24.128.147.90:3587
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3178
***AP*** Seq: 0xB9B14A21  Ack: 0xB969FADF  Win: 0x4470
 TcpLen: 20
6F 67 79 20 73 65 72 76 69 63 65 73 20 66 6F 72  ogy
services for
20 68 6F 6D 65 6C 61 6E 64 20 64 65 66 65 6E 73  
homeland defens
65 2C 20 6F 6E 20 57 65 64 6E 65 73 64 61 79 20  e, on
Wednesday 

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com




More information about the Snort-devel mailing list