[Snort-users] question about spp stream4 retransmission

Michel Christophe tofm2 at ...1855...
Sat Dec 20 07:17:03 EST 2003


Hello

I have recently activated my snort stream 4 preprocessor on my system.

it gives me numerous alerts
such as these:


Dec 16 21:10:32 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 62.147.92.251:3343 -> 192.168.0.1:80
Dec 16 21:10:34 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 62.147.92.251:3343 -> 192.168.0.1:80
Dec 16 22:56:27 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.77.4.194:4115 -> 192.168.0.1:80
Dec 16 22:56:29 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.77.4.194:4116 -> 192.168.0.1:80
Dec 18 09:25:28 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.203.69.36:3892 -> 192.168.0.1:80
Dec 18 16:02:53 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.224.83.136:12685 -> 192.168.0.1:80
Dec 18 16:02:56 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.224.83.136:12849 -> 192.168.0.1:80
Dec 18 16:34:50 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 80.14.9.150:2174 -> 192.168.0.1:80
Dec 18 17:31:46 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 80.9.187.144:4303 -> 192.168.0.1:80
Dec 18 18:19:15 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 193.249.52.90:1338 -> 192.168.0.1:80
Dec 19 15:40:20 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 193.250.212.150:1533 -> 192.168.0.1:80
Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32856 -> 192.168.0.1:80
Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32855 -> 192.168.0.1:80
Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32858 -> 192.168.0.1:80
Dec 20 10:47:43 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32857 -> 192.168.0.1:80
Dec 20 10:47:43 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32857 -> 192.168.0.1:80
Dec 20 10:47:44 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32859 -> 192.168.0.1:80
Dec 20 10:47:44 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32860 -> 192.168.0.1:80

My network is equipped with a webserver on internal adress 192.168.0.1
with public access. 
I need to leave free web access to anybody

Pardon me this stupid newbie question, but what is this preprocessor
supposed to detect ?? 

If it detects any webtransfer, is it possible to reduce its output only
to non webservers transfers ?

thanks for clues



-- 
Michel Christophe <tofm2 at ...1855...>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031220/632a1201/attachment.sig>


More information about the Snort-users mailing list