Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Alot of retransmission alerts - What can it be????

From: Mads Rasmussen <mads () cit com br>
Date: Fri, 17 Aug 2001 15:24:48 -0300

Hi there,

I just installed snort 1.8.1 and yes I am a beginner with snort but please 
have pacience.

I just want to ask a simple question, maybe I need to dig deeper in the 
documentation, I just find it strange that so many alert is found

Here is a few lines of alerts:

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:14:40.479177 66.41.153.214:1214 -> 200.246.xx.xx:1165
TCP TTL:109 TOS:0x0 ID:35449 IpLen:20 DgmLen:64 DF
***A**** Seq: 0xBBCBC9C6  Ack: 0x4EECB14F  Win: 0xB5A3  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2830075 364036340

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:14:58.027889 24.43.55.34:1214 -> 200.246.xx.xx:1283
TCP TTL:111 TOS:0x0 ID:9809 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x77837475  Ack: 0x50FEE127  Win: 0x431B  TcpLen: 32
TCP Options (3) => NOP NOP TS: 83141 364037876
 
[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:15:04.909362 24.43.55.34:1214 -> 200.246.xx.xx1283
TCP TTL:111 TOS:0x0 ID:10186 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x778390BD  Ack: 0x50FEE127  Win: 0x431B  TcpLen: 32
TCP Options (3) => NOP NOP TS: 83211 364038573

most exiting is the ones involving smtp

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:05:07.735683 200.183.41.20:64705 -> 200.246.xx.xx:25
TCP TTL:120 TOS:0x0 ID:26996 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x1B6E70D8  Ack: 0x5449295F  Win: 0x20B6  TcpLen: 20
 
[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:05:07.830332 200.183.41.20:64707 -> 200.246.xx.xx:25
TCP TTL:120 TOS:0x0 ID:58485 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x1B6E70B0  Ack: 0x5425615D  Win: 0x20E5  TcpLen: 20
 
[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:05:08.105910 200.183.41.20:64705 -> 200.246.xx.xx:25
TCP TTL:120 TOS:0x0 ID:40308 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x1B6E768C  Ack: 0x5449295F  Win: 0x20B6  TcpLen: 20
 
[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/17-15:05:08.228029 200.183.41.20:64707 -> 200.246.xx.xx:25
TCP TTL:120 TOS:0x0 ID:2422 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x1B6E7664  Ack: 0x5425615D  Win: 0x20E5  TcpLen: 20

Can anyone tell me what this is, is it something misconfigured, something 
normal?

Can I increase the logged info to learn more? Where can I learn more?

Kind regards,

Mads

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: