Snort mailing list archives
Re: stream4_reassembly problems
From: "Eric J. Bowser" <ebowser () neobright net>
Date: Wed, 03 May 2006 16:34:38 -0400
I'm afraid I don't fully understand the plugin, and the docs don't make it too clear. All I have set in the conf related to stream4_reassemble is to turn it on: "preprocessor stream4_reassemble" What is the default flush behavior? Do you have a suggestion as to what setting I should try next, or better yet, a method I could follow to determine what setting is "right" for my network? Thanks much, Eric Gentoo-Wally wrote:
I've seen this before. It probably has to do with your 'flush_behavior' setting in stream4. The one time I saw this I had 'flush_behavior large_window' set. I would check this first. Wally On 5/3/06, Eric J. Bowser <ebowser () neobright net> wrote:Hi All, It seems like stream4 reassembly is quite often lumping packets together unnecessarily. I'm running snort 2.4.3 with mySQL support compiled in and the SPADE patch, on RedHat 9.0. For example, here is a packet dump, captured by a rule from bleeding edge, "MALWARE Fun Web Products Spyware User Agent (1)" I have clipped the data to only show the user agent portions, and prevent revealing anything private. Based on the contents, it seems there are three separate GET requests here, to three different sites, from three different web browsers on three different machines. Why are these lumped together into a single packet and passed to snort for scanning? The IP address reported by snort in the packet headers is not event the infected machine! The entire packet logged by snort is 1875 bytes long by the way... This is happening on several rules, and is even causing false positives because of multiple packets being lumped together. Thanks for any direction you can provide... ... 030 : 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 55 73 65 72 2D oogle.com..User- 040 : 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 Agent: Mozilla/5 050 : 2E 30 20 28 57 69 6E 64 6F 77 73 3B 20 55 3B 20 .0 (Windows; U; 060 : 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B 20 Windows NT 5.1; 070 : 65 6E 2D 55 53 3B 20 72 76 3A 31 2E 38 2E 30 2E en-US; rv:1.8.0. 080 : 32 3B 20 47 6F 6F 67 6C 65 2D 54 52 2D 31 29 20 2; Google-TR-1) 090 : 47 65 63 6B 6F 2F 32 30 30 36 30 33 30 38 20 46 Gecko/20060308 F 0a0 : 69 72 65 66 6F 78 2F 31 2E 35 2E 30 2E 32 0D 0A irefox/1.5.0.2.. ... 440 : 3A 32 34 61 22 0D 0A 55 73 65 72 2D 41 67 65 6E :24a"..User-Agen 450 : 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 t: Mozilla/4.0 ( 460 : 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatible; MSIE 470 : 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 6.0; Windows NT 480 : 20 35 2E 31 3B 20 53 56 31 3B 20 46 75 6E 57 65 5.1; SV1; FunWe 490 : 62 50 72 6F 64 75 63 74 73 3B 20 2E 4E 45 54 20 bProducts; .NET 4a0 : 43 4C 52 20 31 2E 31 2E 34 33 32 32 29 0D 0A 48 CLR 1.1.4322)..H 4b0 : 6F 73 74 3A 20 69 6D 61 67 65 73 32 2E 73 69 6E ost: images2.sin ... 610 : 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M 620 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp 630 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 atible; MSIE 6.0 640 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 ; Windows NT 5.1 650 : 3B 20 53 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20 ; SV1; .NET CLR 660 : 31 2E 31 2E 34 33 32 32 3B 20 49 6E 66 6F 50 61 1.1.4322; InfoPa 670 : 74 68 2E 31 29 0D 0A 48 6F 73 74 3A 20 63 6F 6E th.1)..Host: con -- Eric J. Bowser Bright.Net NE / Doylestown Communications, Inc. 800-535-6423 toll-free www.neobright.net www.doyestowncommunications.com ¨Providing advanced communications since 1899.¨------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Eric J. Bowser Bright.Net NE / Doylestown Communications, Inc. 800-535-6423 toll-free www.neobright.net www.doyestowncommunications.com ¨Providing advanced communications since 1899.¨
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- stream4_reassembly problems Eric J. Bowser (May 03)
- Re: stream4_reassembly problems Gentoo-Wally (May 03)
- Re: stream4_reassembly problems Eric J. Bowser (May 03)
- Re: stream4_reassembly problems Gentoo-Wally (May 03)