[Snort-devel] FW: [Snort-users] Stream4 Mangling? (more details/debugging)

SRH-Lists giermo at ...2099...
Fri Jun 4 12:11:03 EDT 2004


forwarding to devel to get more attention, getting buried by these
alerts.  I have a cap whittled down to 3.5MB that reproduces this
reliably.

Confirmed in 2.1.3 also.

sorry for the cross and top posting.

-steve halligan
http://www.333tech.com
http://sguil.sf.net



-----Original Message-----
From: SRH-Lists 
Sent: Wednesday, June 02, 2004 1:58 PM
To: Snort-Users (E-mail)
Subject: RE: [Snort-users] Stream4 Mangling? (more details/debugging)


> 
> According to snort, this packet happened.  I have the full pcap of the
> session if it is needed to recreate the error.  Needless to say, there
> was no such packet on the wire or in the pcap, it is two separate
> packets, one from the client and a response from the server bashed
> together.  Note the 0A0D0A0D after the cookie, that is where 
> this packet
> should really end.
> 
> snort 2.1.2 on OpenBSD 3.4
> 
> 
> 
> --------------------------------------------------------------
> ----------
> Count:3 Event#5.6665 2004-05-27 17:35:22
> WEB-MISC cross site scripting attempt
> a.b.c.d -> e.f.g.h
> IPVer=4 hlen=5 tos=16 dlen=2689 ID=0 flags=0 offset=0 ttl=240 chksum=1
> Protocol: 6 sport=1695 -> dport=80
> 
> Seq=123311182 Ack=1480851998 Off=5 Res=0 Flags=***AP*** 
> Win=16560 urp=0
> chksum=0
> Payload:
> 47 45 54 20 2F 45 6D 62 6C 69 62 72 61 72 79 2F GET /xxxxxxxxxx/
> 70 72 6F 64 75 63 74 2E 61 73 70 3F 63 61 74 61 product.asp?cata
> 6C 6F 67 25 35 46 6E 61 6D 65 3D 45 6D 62 6C 69 log%5Fname=xxxxx
> 36 36 45 34 43 41 42 34 31 38 31 34 34 33 39 31 66E4CAB418144391
> 31 46 42 38 43 35 45 37 44 33 31 33 36 41 46 45 1FB8C5E7D3136AFE
> --cut--
> 42 44 37 41 33 45 46 45 43 36 35 30 35 32 42 42 BD7A3EFEC65052BB
> 41 44 42 38 42 44 30 39 46 42 46 35 41 39 38 33 ADB8BD09FBF5A983
> 32 43 32 30 38 37 32 45 37 33 44 35 43 36 34 43 2C20872E73D5C64C
> 46 42 30 36 33 45 42 35 46 45 41 45 42 34 42 42 FB063EB5FEAEB4BB
> 41 44 3B 20 41 53 50 53 45 53 53 49 4F 4E 49 44 AD; ASPSESSIONID
> 43 43 41 42 51 41 43 42 3D 50 48 4A 4E 49 4B 49 CCABQACB=PHJNIKI
> 43 41 4D 4D 4A 44 4E 4A 50 4E 42 4F 4B 47 4C 48 CAMMJDNJPNBOKGLH
> 44 0D 0A 0D 0A 65 3D 22 43 4F 4C 4F 52 3A 30 30 D....e="COLOR:00
> 30 30 30 30 3B 20 46 4F 4E 54 3A 20 31 33 70 74 0000; FONT: 13pt
> 2F 31 35 70 74 20 76 65 72 64 61 6E 61 22 3E 3C /15pt verdana"><
> 21 2D 2D 50 72 6F 62 6C 65 6D 2D 2D 3E 54 68 65 !--Problem-->The
> 20 70 61 67 65 20 63 61 6E 6E 6F 74 20 62 65 20  page cannot be 
> 66 6F 75 6E 64 3C 2F 68 31 3E 0D 0A 20 20 20 20 found</h1>..    

Here is what is happening.  I isolated where the data that was tacked on
to the end of this 'cooked' stream4 packet came from and found something
odd.   Here is how it goes.

1)  session from a.b.c.d:1695 to e.f.g.h:80 established
2)  session from i.j.k.l:63011 to m.n.o.p:80 established
3)  m.n.o.p sends a FIN ACK to i.j.k.l
4)  i.j.k.l catches up on a few ACK's then gives a FIN ACK to m.n.o.p
5)  m.n.o.p ACKs the FIN ACK from i.j.k.l and stream4 flushes and drops
the session
6)  a few more ACK come in from i.j.k.l (out of order, these were ACK
for data earlier in the session)
7)  stream4 doesn't know what to do with these ack, so it creates a new
session
8)  data e.f.g.h->a.b.c.d happens and a client stream flush occurs.  The
recreated packet contains data from the 'orphan' i.j.k.l->m.n.o.p
session


stream4 debugs  (look for ###comments### inline)
####here is the FIN from the server###
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A***Fspp_stream4.c:1751: pkt_seq: 1640407173, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1880: server packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_SERVER
spp_stream4.c:1460: SetFinSet() called for FROM_SERVER
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2114: Got FIN ACK (0x11)
spp_stream4.c:2120:    Client Transition: CLOSE_WAIT
spp_stream4.c:2120:    Server Transition: FIN_WAIT_1
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2666
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640402970
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2473: Server state: FIN_WAIT_1
spp_stream4.c:2510:    Server Transition: FIN_WAIT_2
spp_stream4.c:2510:    Client Transition: CLOSE_WAIT
spp_stream4.c:4655: server.base_seq(1640324431)
server.last_ack(1640402970) server.next_seq(1640407173)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2667
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640402970, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314:    Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2668
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640404350, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 79982)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314:    Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2669
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640405730, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 81362)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314:    Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2670
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640405730
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2671
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2672

####After catching up on some ACKs the client FINACKs
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A***Fspp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A***F
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_CLIENT
spp_stream4.c:1460: SetFinSet() called for FROM_CLIENT
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:2526:    Client Transition: LAST_ACK
spp_stream4.c:2526:    Server Transition: TIME_WAIT
spp_stream4.c:4655: server.base_seq(1640324431)
server.last_ack(1640407173) server.next_seq(1640407173)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x607
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2673

####the server ACK's the FINACK and the session is disposed of.
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640402970, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2265: Client state: LAST_ACK
spp_stream4.c:2271: Client Transition: CLOSED
spp_stream4.c:4693: flushing server stream, ending session: 0
spp_stream4.c:4711: flushing client stream, ending session
spp_stream4.c:3991: FlushStream Entered:last_ack(1027250562)
base_seq(1027249968) trCount(1)
gspp_stream4.c:411: (1027249968,1027250561,1027249968) = (low, high,
cur)
spp_stream4.c:411: (1027249968,1027250562,1027250562) = (low, high, cur)
spp_stream4.c:577: Copying 594 bytes into buffer, offset 0, buf 0x1d8046
spp_stream4.c:582: spd->seq_num (1027249968)  s->last_ack (1027250562)
s->base_seq(1027249968) size: (594) s->next_seq(1027250562), offset(0),
MAX(65481)
spp_stream4.c:4336: Built packet to 66.173.109.252 from 9e45bccf with
594 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2674
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:4728: Dumping session
spp_stream4.c:3379: Dropping session 0x1c9a700
spp_stream4.c:3389: [F] Freeing 148 byte session
spp_stream4.c:3498: 1 streams active, 2371 bytes in use
spp_stream4.c:1720: pcount stream packet 2675

####Oh crap, more data in the session.  stream4 can't find a session so
it makes a new one.  This is the packet that the extra data in the event
came from, btw.
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640404350, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3461: Unable to find session
spp_stream4.c:1758: Calling CreateNewSession()
spp_stream4.c:2910: [A] initializing new session (148 bytes)
spp_stream4.c:3106: Inserting session into session tree...
spp_stream4.c:1778: Picking up session midstream
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (1434 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 1434 bytes for packet
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250562) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 2 streams active, 4009 bytes in use
spp_stream4.c:1720: pcount stream packet 2676
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640405730, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 1380, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (1434 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 1434 bytes for packet
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250562) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 2 streams active, 5499 bytes in use
spp_stream4.c:1720: pcount stream packet 2677
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2760, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640404350)
client.last_ack(1640404350) offset(0)
spp_stream4.c:4601: client.base_seq(1640404350)
client.last_ack(1640407174) client.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x103
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 5499 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2678
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2760, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640404350)
client.last_ack(1640407174) offset(2824)
spp_stream4.c:4601: client.base_seq(1640404350)
client.last_ack(1640407174) client.next_seq(0)
spp_stream4.c:4616: Flushing Client packet buffer (2824 bytes a:
0x61C6A086 b: 0x61C6957E pkts: 2)
spp_stream4.c:3991: FlushStream Entered:last_ack(1640407174)
base_seq(1640404350) trCount(2)
gspp_stream4.c:411: (1640404350,1640407173,1640404350) = (low, high,
cur)
spp_stream4.c:411: (1640404350,1640407174,1640405730) = (low, high, cur)
spp_stream4.c:577: Copying 1380 bytes into buffer, offset 0, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1640404350)  s->last_ack (1640407174)
s->base_seq(1640404350) size: (1380) s->next_seq(1640405730), offset(0),
MAX(65481)
spp_stream4.c:411: (1640404350,1640407173,1640405730) = (low, high, cur)
spp_stream4.c:411: (1640404350,1640407174,1640407110) = (low, high, cur)
spp_stream4.c:577: Copying 1380 bytes into buffer, offset 1380, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1640405730)  s->last_ack (1640407174)
s->base_seq(1640404350) size: (1380) s->next_seq(1640407110),
offset(1380), MAX(65481)
spp_stream4.c:4256: bd.total_size(2760) < stream_size(2824):Incomplete
segment -- packet loss or weird
spp_stream4.c:4336: Built packet to 207.188.69.158 from fc6dad42 with
2824 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2679
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2680
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640407174)
client.last_ack(1640407174) offset(0)
spp_stream4.c:4601: client.base_seq(1640407174)
client.last_ack(1640407174) client.next_seq(1640407110)
spp_stream4.c:4629: 130 (0) bytes to go before we flush: (0) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2681
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640407174, pkt_ack: 1027250563
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250563) server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
spp_stream4.c:1720: pcount stream packet 2682

####now back to the other session
spp_stream4.c:1746: Got Packet 0x3B88A240:1695 ->  0xFA6DAD42:80
***AP***spp_stream4.c:1751: pkt_seq: 1480853378, pkt_ack: 123311182
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x3B88A240 sp: 1695  cip:
0xFA6DAD42 cp: 80 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFA6DAD42 sp: 80  cip: 0x3B88A240
cp: 1695 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2649, server: 1941884)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (93 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 93 bytes for packet
spp_stream4.c:4655: server.base_seq(121430018)
server.last_ack(123311182) server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 2668 bytes in use
spp_stream4.c:1720: pcount stream packet 2683

####this is the packet that is the first half of the 'cooked' stream4
packet.  Note that the client stream is flushed here.
spp_stream4.c:1746: Got Packet 0xFA6DAD42:80 ->  0x3B88A240:1695
***A****spp_stream4.c:1751: pkt_seq: 123311182, pkt_ack: 1480851998
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFA6DAD42 sp: 80  cip: 0x3B88A240
cp: 1695 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2688, server: 1941884)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1480850729)
client.last_ack(1480851998) offset(1269)
spp_stream4.c:4601: client.base_seq(1480850729)
client.last_ack(1480851998) client.next_seq(1480850729)
spp_stream4.c:4616: Flushing Client packet buffer (1269 bytes a:
0x5844021E b: 0x5843FD29 pkts: 2)
spp_stream4.c:3991: FlushStream Entered:last_ack(1480851998)
base_seq(1480850729) trCount(2)
gspp_stream4.c:411: (1480850729,1480851997,1480850729) = (low, high,
cur)
spp_stream4.c:411: (1480850729,1480851998,1480851998) = (low, high, cur)
spp_stream4.c:577: Copying 1269 bytes into buffer, offset 0, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1480850729)  s->last_ack (1480851998)
s->base_seq(1480850729) size: (1269) s->next_seq(1480851998), offset(0),
MAX(65481)
spp_stream4.c:411: (1480850729,1480851997,1480853378) = (low, high, cur)
spp_stream4.c:411: (1480850729,1480851997,1480853378) = (low, high, cur)
spp_stream4.c:633:    => Segment is past last ack'd data, ignoring for
now...
spp_stream4.c:633:         => (39 bytes @ seq 0x58440782, ack:
0x5844021E)
spp_stream4.c:4336: Built packet to 64.162.136.59 from fa6dad42 with
2649 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2684
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:4078: Flusing stream due to an alert!
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:4082: Don't Flush a Rebuilt Stream
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 1289 bytes in use
spp_stream4.c:1720: pcount stream packet 2685




More information about the Snort-devel mailing list