[Snort-users] Very high amount of "TCP Small Segment Threshold Exceeded"

Giacomo lib.giacomo at ...11827...
Sat Mar 3 18:49:29 EST 2012


After changing small_segments to 0 (snort install default is 3) the events did not pop up anymore. I don't know why removing detect_anomalies (like Shane suggested) did not do the trick. small_segments is only enabled when detect_anomalies is defined (according to the docs). Anyway, thanks for the help guys.

On 01/03/2012, at 3:44 AM, waldo kitty wrote:

> On 2/29/2012 08:08, Russ Combs wrote:
>> If you can trigger the alerts, can you capture a pcap that reproduces the
>> problem?  Maybe we can tweak the settings based on that.
> 
> +1
> that's exactly what i was just getting ready to write and then i saw your post 
> in the thread and read it first ;)
> 
>> On Wed, Feb 29, 2012 at 3:40 AM, Giacomo <lib.giacomo at ...11827...
>> <mailto:lib.giacomo at ...11827...>> wrote:
>> 
>>    Hi there,
>> 
>>    Sorry I put it indeed in the subject but forgot to mention it in the email.
>>    The event that gets thrown is: "stream5: TCP Small Segment Threshold Exceeded"
>>    The configuration adjustments Shane Castle suggested don't really seem to do
>>    the trick.
>>    I did notice today though that the events seem to be thrown when I connect
>>    with the (default) ssh client for Mac OS X. Connecting with putty seems to
>>    go fine (no events are generated). This is a bit of a mystery to me why...
>> 
>>    Cheers.
>> 
>>    On 29/02/2012, at 7:00 AM, Russ Combs wrote:
>> 
>>>    On Tue, Feb 28, 2012 at 2:52 PM, waldo kitty <wkitty42 at ...14940...
>>>    <mailto:wkitty42 at ...14940...>> wrote:
>>> 
>>>        On 2/27/2012 03:39, Giacomo wrote:
>>>> Hi there,
>>>> 
>>>> I recently started using Snort. After enabling the (default)
>>>        preprocessor configuration I started receiving very large amounts of
>>>        events regarding stream5.
>>>> Since it is a server that is not being used for anything I assume
>>>        this event is generated by my SSH connection. A couple of topics have
>>>        discussed this but none come with a very clear answer why this is
>>>        occurring and how you can solve it.
>>>> The only two suggestions I found was to change the max_tcp value in
>>>        stream5_global or increase the memcap. But both of these suggestions
>>>        don't work. So I am wondering if any one of you has an idea why this
>>>        is occurring and what I can do about it.
>>> 
>>>        what, exactly, are the SIDs being reported? the items you saw are for
>>>        one or two
>>>        things but stream5 can alert on numerous items...
>>> 
>>>        here's what the snort-2.9.2.1's README.stream5 has to say...
>>> 
>>>        Alerts
>>>        ======
>>>        Stream5 uses generator ID 129. It is capable of alerting on 10
>>>        anomalies, all of
>>>        which relate to TCP anomalies. There are no anomaly detection
>>>        capabilities for
>>>        UDP or ICMP.
>>> 
>>>        SID   Description
>>>        ---   -----------
>>>        1     SYN on established session
>>>        2     Data on SYN packet
>>>        3     Data sent on stream not accepting data
>>>        4     TCP Timestamp is outside of PAWS window
>>>        5     Bad segment, overlap adjusted size less than/equal 0
>>>        6     Window size (after scaling) larger than policy allows
>>>        7     Limit on number of overlapping TCP packets reached
>>>        8     Data after Reset packet
>>>        9     Possible Hijacked Client
>>>        10    Possible Hijacked Server
>>>        11    TCP packet with any control flags set
>>>        12    Limit on number of consecutive small segments reached
>>>        13    4-way handshake detected
>>>        14    Packet missing timestamp
>>> 
>>> 
>>>        [ yes, there's a typo up there where it says 10 anomalies and then
>>>        shows 14 of
>>>        them ;) ]
>>> 
>>> 
>>>    It's actually more than that:
>>> 
>>>    $ grep "^129" ../etc/gen-msg.map
>>>    129 || 1 || stream5: SYN on established session
>>>    129 || 2 || stream5: Data on SYN packet
>>>    129 || 3 || stream5: Data sent on stream not accepting data
>>>    129 || 4 || stream5: TCP Timestamp is outside of PAWS window
>>>    129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
>>>    129 || 6 || stream5: Window size (after scaling) larger than policy allows
>>>    129 || 7 || stream5: Limit on number of overlapping TCP packets reached
>>>    129 || 8 || stream5: Data sent on stream after TCP Reset
>>>    129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
>>>    129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
>>>    129 || 11 || stream5: TCP Data with no TCP Flags set
>>>    129 || 12 || stream5: TCP Small Segment Threshold Exceeded
>>>    129 || 13 || stream5: TCP 4-way handshake detected
>>>    129 || 14 || stream5: TCP Timestamp is missing
>>>    129 || 15 || stream5: Reset outside window
>>>    129 || 16 || stream5: FIN number is greater than prior FIN
>>>    129 || 17 || stream5: ACK number is greater than prior FIN
>>>    129 || 18 || stream5: Data sent on stream after TCP Reset received
>>>    129 || 19 || stream5: TCP window closed before receiving data
> 
> 
> 
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing 
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list