[Snort-users] Very high amount of "TCP Small Segment Threshold Exceeded"

waldo kitty wkitty42 at ...14940...
Tue Feb 28 14:52:39 EST 2012

On 2/27/2012 03:39, Giacomo wrote:
> Hi there,
> I recently started using Snort. After enabling the (default) preprocessor configuration I started receiving very large amounts of events regarding stream5.
> Since it is a server that is not being used for anything I assume this event is generated by my SSH connection. A couple of topics have discussed this but none come with a very clear answer why this is occurring and how you can solve it.
> The only two suggestions I found was to change the max_tcp value in stream5_global or increase the memcap. But both of these suggestions don't work. So I am wondering if any one of you has an idea why this is occurring and what I can do about it.

what, exactly, are the SIDs being reported? the items you saw are for one or two 
things but stream5 can alert on numerous items...

here's what the snort-'s README.stream5 has to say...

Stream5 uses generator ID 129. It is capable of alerting on 10 anomalies, all of 
which relate to TCP anomalies. There are no anomaly detection capabilities for 

SID   Description
---   -----------
1     SYN on established session
2     Data on SYN packet
3     Data sent on stream not accepting data
4     TCP Timestamp is outside of PAWS window
5     Bad segment, overlap adjusted size less than/equal 0
6     Window size (after scaling) larger than policy allows
7     Limit on number of overlapping TCP packets reached
8     Data after Reset packet
9     Possible Hijacked Client
10    Possible Hijacked Server
11    TCP packet with any control flags set
12    Limit on number of consecutive small segments reached
13    4-way handshake detected
14    Packet missing timestamp

[ yes, there's a typo up there where it says 10 anomalies and then shows 14 of 
them ;) ]

More information about the Snort-users mailing list