[Snort-users] stream4_reassembly problems

Gentoo-Wally gentoowally at ...11827...
Wed May 3 12:57:01 EDT 2006


I've seen this before. It probably has to do with your
'flush_behavior' setting in stream4. The one time I saw this I had
'flush_behavior large_window' set. I would check this first.

 Wally

On 5/3/06, Eric J. Bowser <ebowser at ...13800...> wrote:
> Hi All,
>
> It seems like stream4 reassembly is quite often lumping packets together
> unnecessarily.  I'm running snort 2.4.3 with mySQL support compiled in and
> the SPADE patch, on RedHat 9.0.
>
> For example, here is a packet dump, captured by a rule from bleeding edge,
> "MALWARE Fun Web Products Spyware User Agent (1)"  I have clipped the data
> to only show the user agent portions, and prevent revealing anything private.
>
> Based on the contents, it seems there are three separate GET requests here,
> to three different sites, from three different web browsers on three
> different machines.
>
> Why are these lumped together into a single packet and passed to snort for
> scanning?  The IP address reported by snort in the packet headers is not
> event the infected machine!  The entire packet logged by snort is 1875 bytes
> long by the way...
>
> This is happening on several rules, and is even causing false positives
> because of multiple packets being lumped together.
>
> Thanks for any direction you can provide...
>
> ...
> 030 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 55 73 65 72 2D   oogle.com..User-
> 040 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35   Agent: Mozilla/5
> 050 : 2E 30 20 28 57 69 6E 64 6F 77 73 3B 20 55 3B 20   .0 (Windows; U;
> 060 : 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20   Windows NT 5.1;
> 070 : 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 38 2E 30 2E   en-US; rv:1.8.0.
> 080 : 32 3B 20 47 6F 6F 67 6C 65 2D 54 52 2D 31 29 20   2; Google-TR-1)
> 090 : 47 65 63 6B 6F 2F 32 30 30 36 30 33 30 38 20 46   Gecko/20060308 F
> 0a0 : 69 72 65 66 6F 78 2F 31 2E 35 2E 30 2E 32 0D 0A   irefox/1.5.0.2..
> ...
> 440 : 3A 32 34 61 22 0D 0A 55 73 65 72 2D 41 67 65 6E   :24a"..User-Agen
> 450 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28   t: Mozilla/4.0 (
> 460 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45   compatible; MSIE
> 470 : 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54    6.0; Windows NT
> 480 : 20 35 2E 31 3B 20 53 56 31 3B 20 46 75 6E 57 65    5.1; SV1; FunWe
> 490 : 62 50 72 6F 64 75 63 74 73 3B 20 2E 4E 45 54 20   bProducts; .NET
> 4a0 : 43 4C 52 20 31 2E 31 2E 34 33 32 32 29 0D 0A 48   CLR 1.1.4322)..H
> 4b0 : 6F 73 74 3A 20 69 6D 61 67 65 73 32 2E 73 69 6E   ost: images2.sin
> ...
> 610 : 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D   e..User-Agent: M
> 620 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70   ozilla/4.0 (comp
> 630 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30   atible; MSIE 6.0
> 640 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31   ; Windows NT 5.1
> 650 : 3B 20 53 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20   ; SV1; .NET CLR
> 660 : 31 2E 31 2E 34 33 32 32 3B 20 49 6E 66 6F 50 61   1.1.4322; InfoPa
> 670 : 74 68 2E 31 29 0D 0A 48 6F 73 74 3A 20 63 6F 6E   th.1)..Host: con
>
> --
> Eric J. Bowser
> Bright.Net NE / Doylestown Communications, Inc.
> 800-535-6423 toll-free
> www.neobright.net
> www.doyestowncommunications.com
>
> ¨Providing advanced communications since 1899.¨
>
>
>
>




More information about the Snort-users mailing list