[Snort-users] Fw: stream4 preprocessor and resetting the stream due to alert

William Metcalf William_Metcalf at ...8458...
Mon May 10 07:23:11 EDT 2004







----- Forwarded by William Metcalf/is/kcmo on 05/05/2004 06:45 AM -----
                                                                       
             William                                                   
             Metcalf/is/kcmo                                           
                                                                        To
             05/03/2004 11:30          snort-devel at lists.sourceforge.net
             PM                                                         cc
                                                                       
                                                                   Subject
                                       stream4 preprocessor and resetting
                                       the stream due to alert         
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       



I know that you guy's don't deal with snort_inline, and I'm not much of a
developer, but I'm trying to figure out if there is a way to stop flushing
the stream due to an alert in the stream4 preprocessor.  snort_inline drops
bad traffic which causes the attacker to retransmit the packet for some
reason this causes snort_inline to eventually allow the bad packet to pass
even though we see alerts on it.  Any help would be greatly appreciated.

spp_stream4.c:1720: pcount stream packet 31
spp_stream4.c:1746: Got Packet 0x6401A8C0:2948 ->  0x6501A8C0:80
***AP***spp_stream4.c:1751: pkt_seq: 2241703975, pkt_ack: 1212128272
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x6401A8C0 sp: 2948  cip: 0x6501A8C0
cp: 80 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x6501A8C0 sp: 80  cip: 0x6401A8C0 cp:
2948 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (426 bytes)
spp_stream4.c:3655: EVASIVE RETRANS: pkt seq: 0x859DB027 stream->last_ack:
0x859DB1A9
spp_stream4.c:4655: server.base_seq(1212128272) server.last_ack(1212128272)
server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1674: Prune time quanta exceeded, pruning stream cache
spp_stream4.c:1685: Pruned for timeouts, 1 sessions active, 992 bytes in
use
spp_stream4.c:1685: Stream4 memory cap hit 0 times
spp_stream4.c:4078: Flusing stream due to an alert!
spp_stream4.c:4103: [AFS] Bytes Tracked: 386
spp_stream4.c:4106: [AFS] Bytes Tracked: 0
spp_stream4.c:4115: Moved the base_seq to 2241704361!

Regards,

Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040510/76eec6ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040510/76eec6ce/attachment.gif>


More information about the Snort-users mailing list