Snort mailing list archives
Re: spp_stream4: Possible RETRANSMISSION detection
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 20 Aug 2001 21:04:25 -0700 (PDT)
On Mon, 20 Aug 2001, Mads Rasmussen wrote:
Could you tell me some more, please?
I could, but then I would have to kill you. ;-) Sorry, couldn't resist! Stream 4 used to be a noisy lil' bugger. In the later 1.8.1 builds Marty made it quiter since it would trigger on all sorts of things, esp. from broken--read WinBlows--TCP/IP stacks.
Well I tried running with the -z est flag but the alerts doesn't change, I guess that the checksums for the incoming packages doesn't match or something like that.
Suggestion: Grab the packets that are causing the flags. If you can isolate it down to a host or set of hosts, grab a good time snapshot off of the wire. Once you've got that, take it into a 'lab' and play. Config two boxes, just as the others were (OS, version, etc.) with the same IP's. Use tcpreplay to replay the traffic on the test net. Once you do, you should be able to tweak a snort sensor to only alert on what is _really_ critical.
Before my time here, the server was configured with stronghold where the proxy funcion was enabled. Now we have removed this almost a year ago, but there are still requests coming. Could that be the cause of what I am seeing?
Perhaps. You might have a misconfiged machine on the inside thinking it was ready to use the proxy and it's not. Or it could be martians.
[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**] 08/20-16:47:57.585886 193.253.192.85:1214 -> 200.246.37.4:3300 TCP TTL:111 TOS:0x0 ID:44713 IpLen:20 DgmLen:1400 DF ***A**** Seq: 0x396EEE38 Ack: 0x32D5CD39 Win: 0x43DD TcpLen: 32 TCP Options (3) => NOP NOP TS: 2714606 390515132
Get some full packet captures. That will really help out, as you can see exactly what the whole converstation is.
Another thing, the ports database that was on the snort site some time ago has vanished. Any chance of putting it on again?
There is no Ports DataBase. You must not try to access it, you must realize that it is not there. :) I _think_ it's under reworking. I also seem to recall that http://www.iana.org/ has a pretty good db there. It've got links on another box, or I would send them.... Check Google for 'Ports Database' and it should keep you busy for a while. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_stream4: Possible RETRANSMISSION detection Mads Rasmussen (Aug 20)
- Re: spp_stream4: Possible RETRANSMISSION detection Erek Adams (Aug 20)
- Re: spp_stream4: Possible RETRANSMISSION detection Mads Rasmussen (Aug 20)
- Re: spp_stream4: Possible RETRANSMISSION detection Mads Rasmussen (Aug 20)
- Re: was: spp_stream4: Now: ports database? John Sage (Aug 20)
- Re: was: spp_stream4: Now: ports database? Brian Caswell (Aug 20)
- Re: spp_stream4: Possible RETRANSMISSION detection Erek Adams (Aug 20)
- Re: was: ppp_stream4 Now: ports again John Sage (Aug 20)
- Re: spp_stream4: Possible RETRANSMISSION detection Mads Rasmussen (Aug 20)
- Re: spp_stream4: Possible RETRANSMISSION detection Erek Adams (Aug 20)