[Snort-devel] patch to add RST+CWR flag on spp_stream4 (snort243b26)

rmkml rmkml at ...879...
Fri Dec 30 03:14:08 EST 2005


Hi,
recently, snort 24x many warning
  12/29-13:43:35.750132  [**] [111:1:1] (spp_stream4) STEALTH ACTIVITY 
(unknown) detection [**] {TCP} 61.231.126.47:3148 -> y.y.y.y:80
look this packet with tcpdump394 :
  13:43:35.750132 IP (tos 0x0, ttl  83, id 4660, offset 0, flags [none], 
proto: TCP (6), length: 40) 61.231.126.47.3148 > y.y.y.y.80: RW, 
cksum 0xcce9 (correct), 2236625840:2236625840(0) win 0
I received this packet after good tcp session,
its a quick hack to preprocessors/spp_stream4.c :

--- preprocessors/spp_stream4.c 2005/12/30 09:18:50     1.1
+++ preprocessors/spp_stream4.c 2005/12/30 10:53:57
@@ -3387,6 +3387,7 @@

          case TH_RST:
          case TH_RST|TH_ACK:
+        case TH_RST|TH_RES1:
              break;

          default: /*

its not very good patch but it work.

By default, snort not warn this, change conf to this for view warning:
  #preprocessor stream4: disable_evasion_alerts
  preprocessor stream4: disable_evasion_alerts, detect_scans

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-devel mailing list