[Snort-devel] 'established' with Snort 2.x on openbsd

Jon Hart warchild at ...1775...
Thu Apr 1 21:28:01 EST 2004


Greetings,

This is somewhat of a follow up to Ryan's email back in december, found
here:

	http://marc.theaimsgroup.com/?l=snort-users&m=107169234400932&w=2

I'm having nearly identical issues here:

Snort 2.1.2
Openbsd -current as of late february 2004, i386
default ruleset, default plugins
using syslog and tcpdump output logging
$HOME_NET == any
run with 'snort -i xl1 -CXdIeyz -c /share/snort/etc/snort.conf'

None of the rules that use the 'established' option to the flow keyword
are triggering, which means that I'm catching next to nothing.  If I
remove the 'established', the rule fires as expected.

I've rebuilt snort with debugging enabled, run with SNORT_DEBUG=8192.
Attached is the debugging output for a quick smtp connection that should
trigger the 'vrfy root' rule, but doesn't because of the established
business.  Also attached is a pcap of that traffic.

I can't seem to figure out what the problem is.  It doesn't seem to be
any of the more exotic pf options, and everything else on the system is
perfect.

Thanks in advance to anyone that can help!

-jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-debug.pcap
Type: application/octet-stream
Size: 1262 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040401/8f093bc0/attachment.obj>
-------------- next part --------------
spp_stream4.c:1720: pcount stream packet 1
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ******S*spp_stream4.c:1751: pkt_seq: 3727669025, pkt_ack: 0
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ******S*
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ******S*
spp_stream4.c:3461: Unable to find session
spp_stream4.c:1758: Calling CreateNewSession()
spp_stream4.c:2799: [A] initializing new session (148 bytes)
spp_stream4.c:3106: Inserting session into session tree...
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ******S*
spp_stream4.c:2354: Server state: LISTEN
spp_stream4.c:2371:    Client Transition: SYN_SENT
spp_stream4.c:2371:    Server Transition: SYN_RCVD
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 2
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***A****spp_stream4.c:1751: pkt_seq: 3727669026, pkt_ack: 3054611050
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2381: Server state: SYN_RCVD
spp_stream4.c:2402:    Server Transition: ESTABLISHED
spp_stream4.c:4534: WARNING: Fishy TWH from client (0x71BEA044:52000->0xD4495C42:25) (ack: 0xB611AA6A  isn: 0x0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 3
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***A****spp_stream4.c:1751: pkt_seq: 3727669026, pkt_ack: 3054611078
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:4655: server.base_seq(3054611050) server.last_ack(3054611078) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 4
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***AP***spp_stream4.c:1751: pkt_seq: 3727669026, pkt_ack: 3054611078
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (77 bytes)
spp_stream4.c:3731: WARNING: Data on unestablished session (state: 3)!
spp_stream4.c:4655: server.base_seq(3054611050) server.last_ack(3054611078) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 5
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***A****spp_stream4.c:1751: pkt_seq: 3727669037, pkt_ack: 3054611108
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***A****

spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 11, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:4655: server.base_seq(3054611050) server.last_ack(3054611108) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 6
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***AP***spp_stream4.c:1751: pkt_seq: 3727669037, pkt_ack: 3054611108
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 11, server: 0)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (71 bytes)
spp_stream4.c:3731: WARNING: Data on unestablished session (state: 3)!
spp_stream4.c:4655: server.base_seq(3054611050) server.last_ack(3054611108) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 7
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***A***Fspp_stream4.c:1751: pkt_seq: 3727669042, pkt_ack: 3054611108
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***A***F
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 16, server: 0)
spp_stream4.c:1886: client packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_CLIENT
spp_stream4.c:1460: SetFinSet() called for FROM_CLIENT
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:2415:    Client Transition: FIN_WAIT_1
spp_stream4.c:4655: server.base_seq(3054611050) server.last_ack(3054611108) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1720: pcount stream packet 8
spp_stream4.c:1746: Got Packet 0x71BEA044:52000 ->  0xD4495C42:25 ***A****spp_stream4.c:1751: pkt_seq: 3727669043, pkt_ack: 3054611109
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x71BEA044 sp: 52000  cip: 0xD4495C42 cp: 25 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xD4495C42 sp: 25  cip: 0x71BEA044 cp: 52000 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 16, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2544: Server state: CLOSE_WAIT
spp_stream4.c:2567:    Client Transition: FIN_WAIT_2
spp_stream4.c:4655: server.base_seq(3054611050) server.last_ack(3054611109) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 1 streams active, 992 bytes in use


More information about the Snort-devel mailing list