[Snort-devel] Stream4 oddness

Daniel Harrison danielh at ...1776...
Sun Jan 12 01:57:05 EST 2003


When I had stream4 enabled with the default options (preprocessor 
stream4_reassemble) I was receiving hundreds of alerts that match the 
alert below (Transfer Encoding Chunked). The odd part of it was that in 
the alert packet the src and dst were flipped in every case I looked at 
(at least 100). The alert shows that the src was the client and the 
packet capture shows correctly that the source was the 10.x server.  I 
was able to reduce this number to 1 or 2 every hour or so by changing 
the stream4 options to "serveronly, ports [default]" and "both, 
ports[default]".  Both Version 1.9.0 (Build 227) and (Build 209) showed 
the same behavior on a sun 420 running 5.7.

 Am I missing something or is this a known issue with stream4?

thanks.

-dan


[**] WEB-MISC Transfer-Encoding: chunked [**]
01/12-08:33:08.909453 10.xx.xx.xx:21664 -> 208.xx.xx.xx:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:869
***AP*** Seq: 0xABEDC8F5  Ack: 0x5DCCD3B9  Win: 0x86C4  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 53 65 72 76 65 72 3A 20 4E 65 74 73 63 61 70  .Server: Netscap
65 2D 45 6E 74 65 72 70 72 69 73 65 2F 34 2E 31  e-Enterprise/4.1
0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 31 32 20  ..Date: Sun, 12
4A 61 6E 20 32 30 30 33 20 30 38 3A 33 30 3A 30  Jan 2003 08:30:0
34 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 74  4 GMT..Content-t
79 70 65 3A 20 69 6D 61 67 65 2F 67 69 66 0D 0A  ype: image/gif..
45 74 61 67 3A 20 22 64 39 65 63 63 38 39 64 2D  Etag: "d9ecc89d-
31 2D 31 33 63 2D 33 64 61 63 63 66 31 36 22 0D  1-13c-3daccf16".
0A 4C 61 73 74 2D 6D 6F 64 69 66 69 65 64 3A 20  .Last-modified:
57 65 64 2C 20 31 36 20 4F 63 74 20 32 30 30 32  Wed, 16 Oct 2002
20 30 32 3A 32 39 3A 34 32 20 47 4D 54 0D 0A 43   02:29:42 GMT..C
6F 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33  ontent-length: 3
31 36 0D 0A 41 63 63 65 70 74 2D 72 61 6E 67 65  16..Accept-range
73 3A 20 62 79 74 65 73 0D 0A 0D 0A 47 49 46 38  s: bytes....GIF8
39 61 2F 00 13 00 B3 00 00 00 00 66 66 66 66 FF  9a/........ffff.
FF FF 73 73 73 33 33 33 D6 D6 D6 AC AC AC F5 F5  ..sss333........
F5 A1 A1 A1 8F 8F 8F CC CC CC 83 83 83 C2 C2 C2  ................
E2 E2 E2 B8 B8 B8 EB EB EB 21 F9 04 00 00 00 00  .........!......
00 2C 00 00 00 00 2F 00 13 00 00 04 E9 10 C8 49  .,..../........I
AB BD 38 EB CD BB 15 60 28 8E 64 69 8E 5F A0 AE  ..8....`(.di._..
6C EB BE B0 4A 08 69 6C DF EF 5C E3 FC AD 57 82  l...J.il..\...W.
96 43 70 58 2C 42 88 00 42 50 50 82 1E 0B E5 41  .CpX,B..BPP....A
90 64 04 05 8C D5 8F 12 5C 1D 11 0D C5 12 91 18  .d......\.......
04 0A 87 A6 41 30 10 18 02 07 05 E3 10 68 14 8E  ....A0.......h..
6F 19 0D C8 6A 2B 54 43 09 51 6D 0C 4D 05 0D 5F  o...j+TC.Qm.M.._
09 02 09 09 6F 02 0A 6B 09 5A 7B 5C 2D 4B 6F 05  ....o..k.Z{\-Ko.
20 7F 0C 0D 06 4D 53 4C 03 6B 66 01 8A 21 2C 5B   ....MSL.kf..!,[
13 5D 2A 06 09 0A 74 02 0E 2A 03 69 05 05 84 73  .]*...t..*.i...s
01 9C 67 08 A3 B6 A8 94 AA 2C 0F 0A 0A 50 58 65  ..g......,...PXe
97 0F 05 8A 08 0E 0D 01 0A 9D 02 0B AF 01 B1 C0  ................
3B 52 07 08 4B 20 09 76 67 05 BE 4D 0B 07 07 6F  ;R..K .vg..M...o
CB CD D9 7C 3D EE 30 A9 12 AB EF F4 7A 1F 04 F8  ...|=.0.....z...
F9 FA FB FC FD FE F9 C1 E4 9D 18 48 70 A0 87 83  ...........Hp...
08 13 2A 4C 18 01 00 3B                          ..*L...;

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/12-08:33:08.909460 10.xx.xx.xx:80 -> 208.xx.xx.xx:21664
TCP TTL:255 TOS:0x0 ID:35861 IpLen:20 DgmLen:592 DF
***AP*** Seq: 0xABEDC8F5  Ack: 0x5DCCD3B9  Win: 0x86C4  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 53 65 72 76 65 72 3A 20 4E 65 74 73 63 61 70  .Server: Netscap
65 2D 45 6E 74 65 72 70 72 69 73 65 2F 34 2E 31  e-Enterprise/4.1
0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 31 32 20  ..Date: Sun, 12
4A 61 6E 20 32 30 30 33 20 30 38 3A 33 30 3A 30  Jan 2003 08:30:0
34 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 74 2D 74  4 GMT..Content-t
79 70 65 3A 20 69 6D 61 67 65 2F 67 69 66 0D 0A  ype: image/gif..
45 74 61 67 3A 20 22 64 39 65 63 63 38 39 64 2D  Etag: "d9ecc89d-
31 2D 31 33 63 2D 33 64 61 63 63 66 31 36 22 0D  1-13c-3daccf16".
0A 4C 61 73 74 2D 6D 6F 64 69 66 69 65 64 3A 20  .Last-modified:
57 65 64 2C 20 31 36 20 4F 63 74 20 32 30 30 32  Wed, 16 Oct 2002
20 30 32 3A 32 39 3A 34 32 20 47 4D 54 0D 0A 43   02:29:42 GMT..C
6F 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33  ontent-length: 3
31 36 0D 0A 41 63 63 65 70 74 2D 72 61 6E 67 65  16..Accept-range
73 3A 20 62 79 74 65 73 0D 0A 0D 0A 47 49 46 38  s: bytes....GIF8
39 61 2F 00 13 00 B3 00 00 00 00 66 66 66 66 FF  9a/........ffff.
FF FF 73 73 73 33 33 33 D6 D6 D6 AC AC AC F5 F5  ..sss333........
F5 A1 A1 A1 8F 8F 8F CC CC CC 83 83 83 C2 C2 C2  ................
E2 E2 E2 B8 B8 B8 EB EB EB 21 F9 04 00 00 00 00  .........!......
00 2C 00 00 00 00 2F 00 13 00 00 04 E9 10 C8 49  .,..../........I
AB BD 38 EB CD BB 15 60 28 8E 64 69 8E 5F A0 AE  ..8....`(.di._..
6C EB BE B0 4A 08 69 6C DF EF 5C E3 FC AD 57 82  l...J.il..\...W.
96 43 70 58 2C 42 88 00 42 50 50 82 1E 0B E5 41  .CpX,B..BPP....A
90 64 04 05 8C D5 8F 12 5C 1D 11 0D C5 12 91 18  .d......\.......
04 0A 87 A6 41 30 10 18 02 07 05 E3 10 68 14 8E  ....A0.......h..
6F 19 0D C8 6A 2B 54 43 09 51 6D 0C 4D 05 0D 5F  o...j+TC.Qm.M.._
09 02 09 09 6F 02 0A 6B 09 5A 7B 5C 2D 4B 6F 05  ....o..k.Z{\-Ko.
20 7F 0C 0D 06 4D 53 4C 03 6B 66 01 8A 21 2C 5B   ....MSL.kf..!,[
13 5D 2A 06 09 0A 74 02 0E 2A 03 69 05 05 84 73  .]*...t..*.i...s
01 9C 67 08 A3 B6 A8 94 AA 2C 0F 0A 0A 50 58 65  ..g......,...PXe
97 0F 05 8A 08 0E 0D 01 0A 9D 02 0B AF 01 B1 C0  ................
3B 52 07 08 4B 20 09 76 67 05 BE 4D 0B 07 07 6F  ;R..K .vg..M...o
CB CD D9 7C 3D EE 30 A9 12 AB EF F4 7A 1F 04 F8  ...|=.0.....z...
F9 FA FB FC FD FE F9 C1 E4 9D 18 48 70 A0 87 83  ...........Hp...
08 13 2A 4C 18 01 00 3B                          ..*L...;

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

-- 
Daniel Harrison  EDS
page-danielh at ...1776...
"Please don't stand on the toilets"






More information about the Snort-devel mailing list