Re: Very high amount of "TCP Small Segment Threshold Exceeded"

[waldo kitty <wkitty42 () windstream net>]

On 2/29/2012 08:08, Russ Combs wrote:
> If you can trigger the alerts, can you capture a pcap that reproduces the
> problem?  Maybe we can tweak the settings based on that.

+1
that's exactly what i was just getting ready to write and then i saw your post 
in the thread and read it first ;)

> On Wed, Feb 29, 2012 at 3:40 AM, Giacomo <lib.giacomo () gmail com
> <mailto:lib.giacomo () gmail com>> wrote:
>
>     Hi there,
>
>     Sorry I put it indeed in the subject but forgot to mention it in the email.
>     The event that gets thrown is: "stream5: TCP Small Segment Threshold Exceeded"
>     The configuration adjustments Shane Castle suggested don't really seem to do
>     the trick.
>     I did notice today though that the events seem to be thrown when I connect
>     with the (default) ssh client for Mac OS X. Connecting with putty seems to
>     go fine (no events are generated). This is a bit of a mystery to me why...
>
>     Cheers.
>
>     On 29/02/2012, at 7:00 AM, Russ Combs wrote:
>
> >     On Tue, Feb 28, 2012 at 2:52 PM, waldo kitty <wkitty42 () windstream net
> >     <mailto:wkitty42 () windstream net>> wrote:
> >
> >         On 2/27/2012 03:39, Giacomo wrote:
> >         > Hi there,
> >         >
> >         > I recently started using Snort. After enabling the (default)
> >         preprocessor configuration I started receiving very large amounts of
> >         events regarding stream5.
> >         > Since it is a server that is not being used for anything I assume
> >         this event is generated by my SSH connection. A couple of topics have
> >         discussed this but none come with a very clear answer why this is
> >         occurring and how you can solve it.
> >         > The only two suggestions I found was to change the max_tcp value in
> >         stream5_global or increase the memcap. But both of these suggestions
> >         don't work. So I am wondering if any one of you has an idea why this
> >         is occurring and what I can do about it.
> >
> >         what, exactly, are the SIDs being reported? the items you saw are for
> >         one or two
> >         things but stream5 can alert on numerous items...
> >
> >         here's what the snort-2.9.2.1's README.stream5 has to say...
> >
> >         Alerts
> >         ======
> >         Stream5 uses generator ID 129. It is capable of alerting on 10
> >         anomalies, all of
> >         which relate to TCP anomalies. There are no anomaly detection
> >         capabilities for
> >         UDP or ICMP.
> >
> >         SID   Description
> >         ---   -----------
> >         1     SYN on established session
> >         2     Data on SYN packet
> >         3     Data sent on stream not accepting data
> >         4     TCP Timestamp is outside of PAWS window
> >         5     Bad segment, overlap adjusted size less than/equal 0
> >         6     Window size (after scaling) larger than policy allows
> >         7     Limit on number of overlapping TCP packets reached
> >         8     Data after Reset packet
> >         9     Possible Hijacked Client
> >         10    Possible Hijacked Server
> >         11    TCP packet with any control flags set
> >         12    Limit on number of consecutive small segments reached
> >         13    4-way handshake detected
> >         14    Packet missing timestamp
> >
> >
> >         [ yes, there's a typo up there where it says 10 anomalies and then
> >         shows 14 of
> >         them ;) ]
> >
> >
> >     It's actually more than that:
> >
> >     $ grep "^129" ../etc/gen-msg.map
> >     129 || 1 || stream5: SYN on established session
> >     129 || 2 || stream5: Data on SYN packet
> >     129 || 3 || stream5: Data sent on stream not accepting data
> >     129 || 4 || stream5: TCP Timestamp is outside of PAWS window
> >     129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
> >     129 || 6 || stream5: Window size (after scaling) larger than policy allows
> >     129 || 7 || stream5: Limit on number of overlapping TCP packets reached
> >     129 || 8 || stream5: Data sent on stream after TCP Reset
> >     129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
> >     129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
> >     129 || 11 || stream5: TCP Data with no TCP Flags set
> >     129 || 12 || stream5: TCP Small Segment Threshold Exceeded
> >     129 || 13 || stream5: TCP 4-way handshake detected
> >     129 || 14 || stream5: TCP Timestamp is missing
> >     129 || 15 || stream5: Reset outside window
> >     129 || 16 || stream5: FIN number is greater than prior FIN
> >     129 || 17 || stream5: ACK number is greater than prior FIN
> >     129 || 18 || stream5: Data sent on stream after TCP Reset received
> >     129 || 19 || stream5: TCP window closed before receiving data



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!