[Snort-users] Very high amount of "TCP Small Segment Threshold Exceeded"

Giacomo lib.giacomo at ...11827...
Wed Feb 29 03:40:55 EST 2012


Hi there,

Sorry I put it indeed in the subject but forgot to mention it in the email. The event that gets thrown is: "stream5: TCP Small Segment Threshold Exceeded"
The configuration adjustments Shane Castle suggested don't really seem to do the trick.
I did notice today though that the events seem to be thrown when I connect with the (default) ssh client for Mac OS X. Connecting with putty seems to go fine (no events are generated). This is a bit of a mystery to me why...

Cheers.

On 29/02/2012, at 7:00 AM, Russ Combs wrote:

> 
> 
> On Tue, Feb 28, 2012 at 2:52 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 2/27/2012 03:39, Giacomo wrote:
> > Hi there,
> >
> > I recently started using Snort. After enabling the (default) preprocessor configuration I started receiving very large amounts of events regarding stream5.
> > Since it is a server that is not being used for anything I assume this event is generated by my SSH connection. A couple of topics have discussed this but none come with a very clear answer why this is occurring and how you can solve it.
> > The only two suggestions I found was to change the max_tcp value in stream5_global or increase the memcap. But both of these suggestions don't work. So I am wondering if any one of you has an idea why this is occurring and what I can do about it.
> 
> what, exactly, are the SIDs being reported? the items you saw are for one or two
> things but stream5 can alert on numerous items...
> 
> here's what the snort-2.9.2.1's README.stream5 has to say...
> 
> Alerts
> ======
> Stream5 uses generator ID 129. It is capable of alerting on 10 anomalies, all of
> which relate to TCP anomalies. There are no anomaly detection capabilities for
> UDP or ICMP.
> 
> SID   Description
> ---   -----------
> 1     SYN on established session
> 2     Data on SYN packet
> 3     Data sent on stream not accepting data
> 4     TCP Timestamp is outside of PAWS window
> 5     Bad segment, overlap adjusted size less than/equal 0
> 6     Window size (after scaling) larger than policy allows
> 7     Limit on number of overlapping TCP packets reached
> 8     Data after Reset packet
> 9     Possible Hijacked Client
> 10    Possible Hijacked Server
> 11    TCP packet with any control flags set
> 12    Limit on number of consecutive small segments reached
> 13    4-way handshake detected
> 14    Packet missing timestamp
> 
> 
> [ yes, there's a typo up there where it says 10 anomalies and then shows 14 of
> them ;) ]
> 
> It's actually more than that:
> 
> $ grep "^129" ../etc/gen-msg.map
> 129 || 1 || stream5: SYN on established session
> 129 || 2 || stream5: Data on SYN packet
> 129 || 3 || stream5: Data sent on stream not accepting data
> 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
> 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
> 129 || 6 || stream5: Window size (after scaling) larger than policy allows
> 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
> 129 || 8 || stream5: Data sent on stream after TCP Reset
> 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
> 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
> 129 || 11 || stream5: TCP Data with no TCP Flags set
> 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
> 129 || 13 || stream5: TCP 4-way handshake detected
> 129 || 14 || stream5: TCP Timestamp is missing
> 129 || 15 || stream5: Reset outside window
> 129 || 16 || stream5: FIN number is greater than prior FIN
> 129 || 17 || stream5: ACK number is greater than prior FIN
> 129 || 18 || stream5: Data sent on stream after TCP Reset received
> 129 || 19 || stream5: TCP window closed before receiving data
>  
> 
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120229/e6ba0cf3/attachment.html>


More information about the Snort-users mailing list