Snort mailing list archives
Re: Very high amount of "TCP Small Segment Threshold Exceeded"
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 29 Feb 2012 11:44:01 -0500
On 2/29/2012 08:08, Russ Combs wrote:
If you can trigger the alerts, can you capture a pcap that reproduces the problem? Maybe we can tweak the settings based on that.
+1 that's exactly what i was just getting ready to write and then i saw your post in the thread and read it first ;)
On Wed, Feb 29, 2012 at 3:40 AM, Giacomo <lib.giacomo () gmail com <mailto:lib.giacomo () gmail com>> wrote: Hi there, Sorry I put it indeed in the subject but forgot to mention it in the email. The event that gets thrown is: "stream5: TCP Small Segment Threshold Exceeded" The configuration adjustments Shane Castle suggested don't really seem to do the trick. I did notice today though that the events seem to be thrown when I connect with the (default) ssh client for Mac OS X. Connecting with putty seems to go fine (no events are generated). This is a bit of a mystery to me why... Cheers. On 29/02/2012, at 7:00 AM, Russ Combs wrote:On Tue, Feb 28, 2012 at 2:52 PM, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: On 2/27/2012 03:39, Giacomo wrote: > Hi there, > > I recently started using Snort. After enabling the (default) preprocessor configuration I started receiving very large amounts of events regarding stream5. > Since it is a server that is not being used for anything I assume this event is generated by my SSH connection. A couple of topics have discussed this but none come with a very clear answer why this is occurring and how you can solve it. > The only two suggestions I found was to change the max_tcp value in stream5_global or increase the memcap. But both of these suggestions don't work. So I am wondering if any one of you has an idea why this is occurring and what I can do about it. what, exactly, are the SIDs being reported? the items you saw are for one or two things but stream5 can alert on numerous items... here's what the snort-2.9.2.1's README.stream5 has to say... Alerts ====== Stream5 uses generator ID 129. It is capable of alerting on 10 anomalies, all of which relate to TCP anomalies. There are no anomaly detection capabilities for UDP or ICMP. SID Description --- ----------- 1 SYN on established session 2 Data on SYN packet 3 Data sent on stream not accepting data 4 TCP Timestamp is outside of PAWS window 5 Bad segment, overlap adjusted size less than/equal 0 6 Window size (after scaling) larger than policy allows 7 Limit on number of overlapping TCP packets reached 8 Data after Reset packet 9 Possible Hijacked Client 10 Possible Hijacked Server 11 TCP packet with any control flags set 12 Limit on number of consecutive small segments reached 13 4-way handshake detected 14 Packet missing timestamp [ yes, there's a typo up there where it says 10 anomalies and then shows 14 of them ;) ] It's actually more than that: $ grep "^129" ../etc/gen-msg.map 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 129 || 15 || stream5: Reset outside window 129 || 16 || stream5: FIN number is greater than prior FIN 129 || 17 || stream5: ACK number is greater than prior FIN 129 || 18 || stream5: Data sent on stream after TCP Reset received 129 || 19 || stream5: TCP window closed before receiving data
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Very high amount of "TCP Small Segment Threshold Exceeded" Giacomo (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Castle, Shane (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" waldo kitty (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Russ Combs (Feb 28)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Giacomo (Feb 29)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Russ Combs (Feb 29)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" waldo kitty (Feb 29)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Giacomo (Mar 03)
- Re: Very high amount of "TCP Small Segment Threshold Exceeded" Russ Combs (Feb 28)