Snort mailing list archives

question about spp stream4 retransmission

From: Michel Christophe <tofm2 () yahoo fr>
Date: Sat, 20 Dec 2003 16:15:51 +0100

Hello

I have recently activated my snort stream 4 preprocessor on my system.

it gives me numerous alerts
such as these:


Dec 16 21:10:32 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 62.147.92.251:3343 
-> 192.168.0.1:80
Dec 16 21:10:34 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 62.147.92.251:3343 
-> 192.168.0.1:80
Dec 16 22:56:27 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.77.4.194:4115 -> 
192.168.0.1:80
Dec 16 22:56:29 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.77.4.194:4116 -> 
192.168.0.1:80
Dec 18 09:25:28 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.203.69.36:3892 
-> 192.168.0.1:80
Dec 18 16:02:53 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.224.83.136:12685 
-> 192.168.0.1:80
Dec 18 16:02:56 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.224.83.136:12849 
-> 192.168.0.1:80
Dec 18 16:34:50 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 80.14.9.150:2174 -> 
192.168.0.1:80
Dec 18 17:31:46 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 80.9.187.144:4303 -> 
192.168.0.1:80
Dec 18 18:19:15 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 193.249.52.90:1338 
-> 192.168.0.1:80
Dec 19 15:40:20 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 193.250.212.150:1533 
-> 192.168.0.1:80
Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32856 
-> 192.168.0.1:80
Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32855 
-> 192.168.0.1:80
Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32858 
-> 192.168.0.1:80
Dec 20 10:47:43 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32857 
-> 192.168.0.1:80
Dec 20 10:47:43 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32857 
-> 192.168.0.1:80
Dec 20 10:47:44 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32859 
-> 192.168.0.1:80
Dec 20 10:47:44 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32860 
-> 192.168.0.1:80

My network is equipped with a webserver on internal adress 192.168.0.1
with public access. 
I need to leave free web access to anybody

Pardon me this stupid newbie question, but what is this preprocessor
supposed to detect ?? 

If it detects any webtransfer, is it possible to reduce its output only
to non webservers transfers ?

thanks for clues



-- 
Michel Christophe <tofm2 () yahoo fr>

Attachment: signature.asc
Description: Ceci est une partie de message numériquement signée

Current thread:

No alert_smb in 2.1.0? Mike Maki (Dec 19)
- Re: No alert_smb in 2.1.0? Matt Kettler (Dec 19)
  - Re: No alert_smb in 2.1.0? Frank Knobbe (Dec 20)
    - Re: No alert_smb in 2.1.0? Brian (Dec 20)
    - question about spp stream4 retransmission Michel Christophe (Dec 20)
    - Re: No alert_smb in 2.1.0? Frank Knobbe (Dec 20)