[Snort-users] snort 2.3.3 --enable-flexresp

Rich Adamson radamson at ...2127...
Mon Apr 25 11:02:06 EDT 2005


> >When you use a telnet client to generate test traffic, the telnet client
> >will generally send one TCP segment per character because the telnet
> >client explicitly disables the nagle algorithm.
> >
> 
> Side note: this depends a LOT on which telnet client you use. Apparently
> some telnet clients do send data in bursts under some circumstances, and
> others send it byte-by-byte.
> 
> In general, it's probably a better idea to test with netcat, or similar
> tools which don't play games with what gets put on the wire..
> 
> However, it would be better if stream4 could re-assemble this, but AFAIK
> it cannot. It's really more designed for simple segmentation cases, not
> really slow byte-by-byte transfers.
> 
> For example, this packet was captured using the RedHat Linux telnet
> client connecting to a sendmail server on port 25. No data was sent
> until I hit CR:
>            
> "HELLO<cr/lf>" (hex 48 45 4c 4c 4f 0d 0a)
> 
> 11:45:45.105951 10.0.0.xx.17098 > 192.168.50.xx.smtp: P [tcp sum ok]
> 1:8(7) ack 87 win 5840 <nop,nop,timestamp 351528130 182833090> (DF) [tos
>  0x10]  (ttl 64, id 23716, len 59)
>                          4510 003b 5ca4 4000 4006 e145 0a00 00xx
>                          c0a8 32xx 42ca 0019 0edf e86f f6fb 2d7b
>                          8018 16d0 4275 0000 0101 080a 14f3 e4c2
>                          0ae5 cfc2 4845 4c4c 4f0d 0a
> 
> 
> However, this stream came from telneting to the same server with the
> Microsoft Windows command prompt telnet client, and it sent each
> character as I typed it, and the server acknowledged each TCP segment
> before I could type another character.
>                 
> "H" (hex 48)      
> 11:47:48.028835 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
> 1:2(1) ack 87 win 64154 (DF) (ttl 128, id 13723, len 41)
>                          4500 0029 359b 4000 8006 c42b 0a00 04xx
>                          c0a8 32xx 0580 0019 13f4 6729 cdd4 7084
>                          5018 fa9a ad18 0000 4800 0000 0000
> 11:47:48.028887 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
> 2 win 5840 (DF) (ttl 64, id 40418, len 40)
>                          4500 0028 9de2 4000 4006 9be5 c0a8 32xx
>                          0a00 04xx 0019 0580 cdd4 7084 13f4 672a
>                          5010 16d0 d8eb 0000
> "E" (hex 45)
> 11:47:48.654637 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
> 2:3(1) ack 87 win 64154 (DF) (ttl 128, id 13725, len 41)
>                          4500 0029 359d 4000 8006 c429 0a00 04xx
>                          c0a8 32xx 0580 0019 13f4 672a cdd4 7084
>                          5018 fa9a b017 0000 4500 0000 0000
> 11:47:48.654688 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
> 3 win 5840 (DF) (ttl 64, id 56749, len 40)
>                          4500 0028 ddad 4000 4006 5c1a c0a8 32xx
>                          0a00 04xx 0019 0580 cdd4 7084 13f4 672b
>                          5010 16d0 d8ea 0000
> "L" (hex 4c)
> 11:47:49.141334 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
> 3:4(1) ack 87 win 64154 (DF) (ttl 128, id 13727, len 41)
>                          4500 0029 359f 4000 8006 c427 0a00 04xx
>                          c0a8 32xx 0580 0019 13f4 672b cdd4 7084
>                          5018 fa9a a916 0000 4c00 0000 0000
> 11:47:49.141389 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
> 4 win 5840 (DF) (ttl 64, id 47892, len 40)
>                          4500 0028 bb14 4000 4006 7eb3 c0a8 32xx
>                          0a00 04xx 0019 0580 cdd4 7084 13f4 672c
>                          5010 16d0 d8e9 0000
> "L" (hex 4c)
> 11:47:49.474804 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
> 4:5(1) ack 87 win 64154 (DF) (ttl 128, id 13729, len 41)
>                          4500 0029 35a1 4000 8006 c425 0a00 04xx
>                          c0a8 32xx 0580 0019 13f4 672c cdd4 7084
>                          5018 fa9a a915 0000 4c00 0000 0000
> 11:47:49.474865 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
> 5 win 5840 (DF) (ttl 64, id 43544, len 40)
>                          4500 0028 aa18 4000 4006 8faf c0a8 32xx
>                          0a00 04xx 0019 0580 cdd4 7084 13f4 672d
>                          5010 16d0 d8e8 0000
> "O" (hex 4f)
> 11:47:49.769274 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
> 5:6(1) ack 87 win 64154 (DF) (ttl 128, id 13731, len 41)
>                          4500 0029 35a3 4000 8006 c423 0a00 04xx
>                          c0a8 32xx 0580 0019 13f4 672d cdd4 7084
>                          5018 fa9a a614 0000 4f00 0000 0000
> 11:47:49.769318 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
> 6 win 5840 (DF) (ttl 64, id 50071, len 40)
>                          4500 0028 c397 4000 4006 7630 c0a8 32xx
>                          0a00 04xx 0019 0580 cdd4 7084 13f4 672e
>                          5010 16d0 d8e7 0000

Telnet clients use a short duration timer to determine when to send
data. The timer is typically around 50 milliseconds or so, but can
vary by vendor, etc.  If you're very quick with keypresses, its usually
not too difficult to get two or three characters stuffed into each
packet (as an example only).

As you already mentioned, it does vary from one client to another.






More information about the Snort-users mailing list