[Snort-users] stream4_reassembly problems

Eric J. Bowser ebowser at ...13800...
Wed May 3 13:35:06 EDT 2006


I'm afraid I don't fully understand the plugin, and the docs don't make it
too clear.

All I have set in the conf related to stream4_reassemble is to turn it on:
"preprocessor stream4_reassemble"

What is the default flush behavior?  Do you have a suggestion as to what
setting I should try next, or better yet, a method I could follow to
determine what setting is "right" for my network?

Thanks much,
Eric

Gentoo-Wally wrote:
> I've seen this before. It probably has to do with your
> 'flush_behavior' setting in stream4. The one time I saw this I had
> 'flush_behavior large_window' set. I would check this first.
> 
> Wally
> 
> On 5/3/06, Eric J. Bowser <ebowser at ...13800...> wrote:
> 
>> Hi All,
>>
>> It seems like stream4 reassembly is quite often lumping packets together
>> unnecessarily.  I'm running snort 2.4.3 with mySQL support compiled in
>> and
>> the SPADE patch, on RedHat 9.0.
>>
>> For example, here is a packet dump, captured by a rule from bleeding
>> edge,
>> "MALWARE Fun Web Products Spyware User Agent (1)"  I have clipped the
>> data
>> to only show the user agent portions, and prevent revealing anything
>> private.
>>
>> Based on the contents, it seems there are three separate GET requests
>> here,
>> to three different sites, from three different web browsers on three
>> different machines.
>>
>> Why are these lumped together into a single packet and passed to snort
>> for
>> scanning?  The IP address reported by snort in the packet headers is not
>> event the infected machine!  The entire packet logged by snort is 1875
>> bytes
>> long by the way...
>>
>> This is happening on several rules, and is even causing false positives
>> because of multiple packets being lumped together.
>>
>> Thanks for any direction you can provide...
>>
>> ...
>> 030 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 55 73 65 72 2D   oogle.com..User-
>> 040 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35   Agent: Mozilla/5
>> 050 : 2E 30 20 28 57 69 6E 64 6F 77 73 3B 20 55 3B 20   .0 (Windows; U;
>> 060 : 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20   Windows NT 5.1;
>> 070 : 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 38 2E 30 2E   en-US; rv:1.8.0.
>> 080 : 32 3B 20 47 6F 6F 67 6C 65 2D 54 52 2D 31 29 20   2; Google-TR-1)
>> 090 : 47 65 63 6B 6F 2F 32 30 30 36 30 33 30 38 20 46   Gecko/20060308 F
>> 0a0 : 69 72 65 66 6F 78 2F 31 2E 35 2E 30 2E 32 0D 0A   irefox/1.5.0.2..
>> ...
>> 440 : 3A 32 34 61 22 0D 0A 55 73 65 72 2D 41 67 65 6E   :24a"..User-Agen
>> 450 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28   t: Mozilla/4.0 (
>> 460 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45   compatible; MSIE
>> 470 : 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54    6.0; Windows NT
>> 480 : 20 35 2E 31 3B 20 53 56 31 3B 20 46 75 6E 57 65    5.1; SV1; FunWe
>> 490 : 62 50 72 6F 64 75 63 74 73 3B 20 2E 4E 45 54 20   bProducts; .NET
>> 4a0 : 43 4C 52 20 31 2E 31 2E 34 33 32 32 29 0D 0A 48   CLR 1.1.4322)..H
>> 4b0 : 6F 73 74 3A 20 69 6D 61 67 65 73 32 2E 73 69 6E   ost: images2.sin
>> ...
>> 610 : 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D   e..User-Agent: M
>> 620 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70   ozilla/4.0 (comp
>> 630 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30   atible; MSIE 6.0
>> 640 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31   ; Windows NT 5.1
>> 650 : 3B 20 53 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20   ; SV1; .NET CLR
>> 660 : 31 2E 31 2E 34 33 32 32 3B 20 49 6E 66 6F 50 61   1.1.4322; InfoPa
>> 670 : 74 68 2E 31 29 0D 0A 48 6F 73 74 3A 20 63 6F 6E   th.1)..Host: con
>>
>> -- 
>> Eric J. Bowser
>> Bright.Net NE / Doylestown Communications, Inc.
>> 800-535-6423 toll-free
>> www.neobright.net
>> www.doyestowncommunications.com
>>
>> ¨Providing advanced communications since 1899.¨
>>
>>
>>
>>
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd_______________________________________________
> 
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
> 
> 

-- 
Eric J. Bowser
Bright.Net NE / Doylestown Communications, Inc.
800-535-6423 toll-free
www.neobright.net
www.doyestowncommunications.com

¨Providing advanced communications since 1899.¨

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060503/0572b690/attachment.sig>


More information about the Snort-users mailing list