[Snort-users] Very high amount of "TCP Small Segment Threshold Exceeded"
wkitty42 at ...14940...
Wed Feb 29 11:44:01 EST 2012
On 2/29/2012 08:08, Russ Combs wrote:
> If you can trigger the alerts, can you capture a pcap that reproduces the
> problem? Maybe we can tweak the settings based on that.
that's exactly what i was just getting ready to write and then i saw your post
in the thread and read it first ;)
> On Wed, Feb 29, 2012 at 3:40 AM, Giacomo <lib.giacomo at ...11827...
> <mailto:lib.giacomo at ...11827...>> wrote:
> Hi there,
> Sorry I put it indeed in the subject but forgot to mention it in the email.
> The event that gets thrown is: "stream5: TCP Small Segment Threshold Exceeded"
> The configuration adjustments Shane Castle suggested don't really seem to do
> the trick.
> I did notice today though that the events seem to be thrown when I connect
> with the (default) ssh client for Mac OS X. Connecting with putty seems to
> go fine (no events are generated). This is a bit of a mystery to me why...
> On 29/02/2012, at 7:00 AM, Russ Combs wrote:
>> On Tue, Feb 28, 2012 at 2:52 PM, waldo kitty <wkitty42 at ...14940...
>> <mailto:wkitty42 at ...14940...>> wrote:
>> On 2/27/2012 03:39, Giacomo wrote:
>> > Hi there,
>> > I recently started using Snort. After enabling the (default)
>> preprocessor configuration I started receiving very large amounts of
>> events regarding stream5.
>> > Since it is a server that is not being used for anything I assume
>> this event is generated by my SSH connection. A couple of topics have
>> discussed this but none come with a very clear answer why this is
>> occurring and how you can solve it.
>> > The only two suggestions I found was to change the max_tcp value in
>> stream5_global or increase the memcap. But both of these suggestions
>> don't work. So I am wondering if any one of you has an idea why this
>> is occurring and what I can do about it.
>> what, exactly, are the SIDs being reported? the items you saw are for
>> one or two
>> things but stream5 can alert on numerous items...
>> here's what the snort-22.214.171.124's README.stream5 has to say...
>> Stream5 uses generator ID 129. It is capable of alerting on 10
>> anomalies, all of
>> which relate to TCP anomalies. There are no anomaly detection
>> capabilities for
>> UDP or ICMP.
>> SID Description
>> --- -----------
>> 1 SYN on established session
>> 2 Data on SYN packet
>> 3 Data sent on stream not accepting data
>> 4 TCP Timestamp is outside of PAWS window
>> 5 Bad segment, overlap adjusted size less than/equal 0
>> 6 Window size (after scaling) larger than policy allows
>> 7 Limit on number of overlapping TCP packets reached
>> 8 Data after Reset packet
>> 9 Possible Hijacked Client
>> 10 Possible Hijacked Server
>> 11 TCP packet with any control flags set
>> 12 Limit on number of consecutive small segments reached
>> 13 4-way handshake detected
>> 14 Packet missing timestamp
>> [ yes, there's a typo up there where it says 10 anomalies and then
>> shows 14 of
>> them ;) ]
>> It's actually more than that:
>> $ grep "^129" ../etc/gen-msg.map
>> 129 || 1 || stream5: SYN on established session
>> 129 || 2 || stream5: Data on SYN packet
>> 129 || 3 || stream5: Data sent on stream not accepting data
>> 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
>> 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
>> 129 || 6 || stream5: Window size (after scaling) larger than policy allows
>> 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
>> 129 || 8 || stream5: Data sent on stream after TCP Reset
>> 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
>> 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
>> 129 || 11 || stream5: TCP Data with no TCP Flags set
>> 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
>> 129 || 13 || stream5: TCP 4-way handshake detected
>> 129 || 14 || stream5: TCP Timestamp is missing
>> 129 || 15 || stream5: Reset outside window
>> 129 || 16 || stream5: FIN number is greater than prior FIN
>> 129 || 17 || stream5: ACK number is greater than prior FIN
>> 129 || 18 || stream5: Data sent on stream after TCP Reset received
>> 129 || 19 || stream5: TCP window closed before receiving data
More information about the Snort-users