Snort mailing list archives
Re: stream4_reassembly problems
From: Gentoo-Wally <gentoowally () gmail com>
Date: Wed, 3 May 2006 15:56:13 -0400
I've seen this before. It probably has to do with your 'flush_behavior' setting in stream4. The one time I saw this I had 'flush_behavior large_window' set. I would check this first. Wally On 5/3/06, Eric J. Bowser <ebowser () neobright net> wrote:
Hi All, It seems like stream4 reassembly is quite often lumping packets together unnecessarily. I'm running snort 2.4.3 with mySQL support compiled in and the SPADE patch, on RedHat 9.0. For example, here is a packet dump, captured by a rule from bleeding edge, "MALWARE Fun Web Products Spyware User Agent (1)" I have clipped the data to only show the user agent portions, and prevent revealing anything private. Based on the contents, it seems there are three separate GET requests here, to three different sites, from three different web browsers on three different machines. Why are these lumped together into a single packet and passed to snort for scanning? The IP address reported by snort in the packet headers is not event the infected machine! The entire packet logged by snort is 1875 bytes long by the way... This is happening on several rules, and is even causing false positives because of multiple packets being lumped together. Thanks for any direction you can provide... ... 030 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 55 73 65 72 2D oogle.com..User- 040 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 Agent: Mozilla/5 050 : 2E 30 20 28 57 69 6E 64 6F 77 73 3B 20 55 3B 20 .0 (Windows; U; 060 : 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 Windows NT 5.1; 070 : 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 38 2E 30 2E en-US; rv:1.8.0. 080 : 32 3B 20 47 6F 6F 67 6C 65 2D 54 52 2D 31 29 20 2; Google-TR-1) 090 : 47 65 63 6B 6F 2F 32 30 30 36 30 33 30 38 20 46 Gecko/20060308 F 0a0 : 69 72 65 66 6F 78 2F 31 2E 35 2E 30 2E 32 0D 0A irefox/1.5.0.2.. ... 440 : 3A 32 34 61 22 0D 0A 55 73 65 72 2D 41 67 65 6E :24a"..User-Agen 450 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 t: Mozilla/4.0 ( 460 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatible; MSIE 470 : 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 6.0; Windows NT 480 : 20 35 2E 31 3B 20 53 56 31 3B 20 46 75 6E 57 65 5.1; SV1; FunWe 490 : 62 50 72 6F 64 75 63 74 73 3B 20 2E 4E 45 54 20 bProducts; .NET 4a0 : 43 4C 52 20 31 2E 31 2E 34 33 32 32 29 0D 0A 48 CLR 1.1.4322)..H 4b0 : 6F 73 74 3A 20 69 6D 61 67 65 73 32 2E 73 69 6E ost: images2.sin ... 610 : 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M 620 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp 630 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 atible; MSIE 6.0 640 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 ; Windows NT 5.1 650 : 3B 20 53 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20 ; SV1; .NET CLR 660 : 31 2E 31 2E 34 33 32 32 3B 20 49 6E 66 6F 50 61 1.1.4322; InfoPa 670 : 74 68 2E 31 29 0D 0A 48 6F 73 74 3A 20 63 6F 6E th.1)..Host: con -- Eric J. Bowser Bright.Net NE / Doylestown Communications, Inc. 800-535-6423 toll-free www.neobright.net www.doyestowncommunications.com ¨Providing advanced communications since 1899.¨
------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4_reassembly problems Eric J. Bowser (May 03)
- Re: stream4_reassembly problems Gentoo-Wally (May 03)
- Re: stream4_reassembly problems Eric J. Bowser (May 03)
- Re: stream4_reassembly problems Gentoo-Wally (May 03)