Snort mailing list archives
question about spp stream4 retransmission
From: Michel Christophe <tofm2 () yahoo fr>
Date: Sat, 20 Dec 2003 16:15:51 +0100
Hello I have recently activated my snort stream 4 preprocessor on my system. it gives me numerous alerts such as these: Dec 16 21:10:32 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 62.147.92.251:3343 -> 192.168.0.1:80 Dec 16 21:10:34 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 62.147.92.251:3343 -> 192.168.0.1:80 Dec 16 22:56:27 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.77.4.194:4115 -> 192.168.0.1:80 Dec 16 22:56:29 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.77.4.194:4116 -> 192.168.0.1:80 Dec 18 09:25:28 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.203.69.36:3892 -> 192.168.0.1:80 Dec 18 16:02:53 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.224.83.136:12685 -> 192.168.0.1:80 Dec 18 16:02:56 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 213.224.83.136:12849 -> 192.168.0.1:80 Dec 18 16:34:50 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 80.14.9.150:2174 -> 192.168.0.1:80 Dec 18 17:31:46 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 80.9.187.144:4303 -> 192.168.0.1:80 Dec 18 18:19:15 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 193.249.52.90:1338 -> 192.168.0.1:80 Dec 19 15:40:20 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 193.250.212.150:1533 -> 192.168.0.1:80 Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32856 -> 192.168.0.1:80 Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32855 -> 192.168.0.1:80 Dec 20 10:47:42 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32858 -> 192.168.0.1:80 Dec 20 10:47:43 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32857 -> 192.168.0.1:80 Dec 20 10:47:43 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32857 -> 192.168.0.1:80 Dec 20 10:47:44 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32859 -> 192.168.0.1:80 Dec 20 10:47:44 snortsensor snort: [111:3:1] (spp_stream4) Possible RETRANSMISSION detection {TCP} 212.195.207.67:32860 -> 192.168.0.1:80 My network is equipped with a webserver on internal adress 192.168.0.1 with public access. I need to leave free web access to anybody Pardon me this stupid newbie question, but what is this preprocessor supposed to detect ?? If it detects any webtransfer, is it possible to reduce its output only to non webservers transfers ? thanks for clues -- Michel Christophe <tofm2 () yahoo fr>
Attachment:
signature.asc
Description: Ceci est une partie de message numériquement signée
Current thread:
- No alert_smb in 2.1.0? Mike Maki (Dec 19)
- Re: No alert_smb in 2.1.0? Matt Kettler (Dec 19)
- Re: No alert_smb in 2.1.0? Frank Knobbe (Dec 20)
- Re: No alert_smb in 2.1.0? Brian (Dec 20)
- question about spp stream4 retransmission Michel Christophe (Dec 20)
- Re: No alert_smb in 2.1.0? Frank Knobbe (Dec 20)
- Re: No alert_smb in 2.1.0? Frank Knobbe (Dec 20)
- Re: No alert_smb in 2.1.0? Matt Kettler (Dec 19)