Snort mailing list archives

RE: Stream4 Mangling? (more details/debugging)

From: SRH-Lists <giermo () 333tech com>
Date: Wed, 2 Jun 2004 13:57:49 -0500


According to snort, this packet happened.  I have the full pcap of the
session if it is needed to recreate the error.  Needless to say, there
was no such packet on the wire or in the pcap, it is two separate
packets, one from the client and a response from the server bashed
together.  Note the 0A0D0A0D after the cookie, that is where 
this packet
should really end.

snort 2.1.2 on OpenBSD 3.4



--------------------------------------------------------------
----------
Count:3 Event#5.6665 2004-05-27 17:35:22
WEB-MISC cross site scripting attempt
a.b.c.d -> e.f.g.h
IPVer=4 hlen=5 tos=16 dlen=2689 ID=0 flags=0 offset=0 ttl=240 chksum=1
Protocol: 6 sport=1695 -> dport=80

Seq=123311182 Ack=1480851998 Off=5 Res=0 Flags=***AP*** 
Win=16560 urp=0
chksum=0
Payload:
47 45 54 20 2F 45 6D 62 6C 69 62 72 61 72 79 2F GET /xxxxxxxxxx/
70 72 6F 64 75 63 74 2E 61 73 70 3F 63 61 74 61 product.asp?cata
6C 6F 67 25 35 46 6E 61 6D 65 3D 45 6D 62 6C 69 log%5Fname=xxxxx
36 36 45 34 43 41 42 34 31 38 31 34 34 33 39 31 66E4CAB418144391
31 46 42 38 43 35 45 37 44 33 31 33 36 41 46 45 1FB8C5E7D3136AFE
--cut--
42 44 37 41 33 45 46 45 43 36 35 30 35 32 42 42 BD7A3EFEC65052BB
41 44 42 38 42 44 30 39 46 42 46 35 41 39 38 33 ADB8BD09FBF5A983
32 43 32 30 38 37 32 45 37 33 44 35 43 36 34 43 2C20872E73D5C64C
46 42 30 36 33 45 42 35 46 45 41 45 42 34 42 42 FB063EB5FEAEB4BB
41 44 3B 20 41 53 50 53 45 53 53 49 4F 4E 49 44 AD; ASPSESSIONID
43 43 41 42 51 41 43 42 3D 50 48 4A 4E 49 4B 49 CCABQACB=PHJNIKI
43 41 4D 4D 4A 44 4E 4A 50 4E 42 4F 4B 47 4C 48 CAMMJDNJPNBOKGLH
44 0D 0A 0D 0A 65 3D 22 43 4F 4C 4F 52 3A 30 30 D....e="COLOR:00
30 30 30 30 3B 20 46 4F 4E 54 3A 20 31 33 70 74 0000; FONT: 13pt
2F 31 35 70 74 20 76 65 72 64 61 6E 61 22 3E 3C /15pt verdana"><
21 2D 2D 50 72 6F 62 6C 65 6D 2D 2D 3E 54 68 65 !--Problem-->The
20 70 61 67 65 20 63 61 6E 6E 6F 74 20 62 65 20  page cannot be 
66 6F 75 6E 64 3C 2F 68 31 3E 0D 0A 20 20 20 20 found</h1>..


Here is what is happening.  I isolated where the data that was tacked on
to the end of this 'cooked' stream4 packet came from and found something
odd.   Here is how it goes.

1)  session from a.b.c.d:1695 to e.f.g.h:80 established
2)  session from i.j.k.l:63011 to m.n.o.p:80 established
3)  m.n.o.p sends a FIN ACK to i.j.k.l
4)  i.j.k.l catches up on a few ACK's then gives a FIN ACK to m.n.o.p
5)  m.n.o.p ACKs the FIN ACK from i.j.k.l and stream4 flushes and drops
the session
6)  a few more ACK come in from i.j.k.l (out of order, these were ACK
for data earlier in the session)
7)  stream4 doesn't know what to do with these ack, so it creates a new
session
8)  data e.f.g.h->a.b.c.d happens and a client stream flush occurs.  The
recreated packet contains data from the 'orphan' i.j.k.l->m.n.o.p
session


stream4 debugs  (look for ###comments### inline)
####here is the FIN from the server###
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A***Fspp_stream4.c:1751: pkt_seq: 1640407173, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1880: server packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_SERVER
spp_stream4.c:1460: SetFinSet() called for FROM_SERVER
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2114: Got FIN ACK (0x11)
spp_stream4.c:2120:    Client Transition: CLOSE_WAIT
spp_stream4.c:2120:    Server Transition: FIN_WAIT_1
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2666
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640402970
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2473: Server state: FIN_WAIT_1
spp_stream4.c:2510:    Server Transition: FIN_WAIT_2
spp_stream4.c:2510:    Client Transition: CLOSE_WAIT
spp_stream4.c:4655: server.base_seq(1640324431)
server.last_ack(1640402970) server.next_seq(1640407173)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2667
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640402970, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314:    Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2668
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640404350, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 79982)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314:    Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2669
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640405730, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 81362)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314:    Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2670
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640405730
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2671
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2672

####After catching up on some ACKs the client FINACKs
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A***Fspp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A***F
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_CLIENT
spp_stream4.c:1460: SetFinSet() called for FROM_CLIENT
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:2526:    Client Transition: LAST_ACK
spp_stream4.c:2526:    Server Transition: TIME_WAIT
spp_stream4.c:4655: server.base_seq(1640324431)
server.last_ack(1640407173) server.next_seq(1640407173)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x607
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2673

####the server ACK's the FINACK and the session is disposed of.
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640402970, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2265: Client state: LAST_ACK
spp_stream4.c:2271: Client Transition: CLOSED
spp_stream4.c:4693: flushing server stream, ending session: 0
spp_stream4.c:4711: flushing client stream, ending session
spp_stream4.c:3991: FlushStream Entered:last_ack(1027250562)
base_seq(1027249968) trCount(1)
gspp_stream4.c:411: (1027249968,1027250561,1027249968) = (low, high,
cur)
spp_stream4.c:411: (1027249968,1027250562,1027250562) = (low, high, cur)
spp_stream4.c:577: Copying 594 bytes into buffer, offset 0, buf 0x1d8046
spp_stream4.c:582: spd->seq_num (1027249968)  s->last_ack (1027250562)
s->base_seq(1027249968) size: (594) s->next_seq(1027250562), offset(0),
MAX(65481)
spp_stream4.c:4336: Built packet to 66.173.109.252 from 9e45bccf with
594 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2674
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:4728: Dumping session
spp_stream4.c:3379: Dropping session 0x1c9a700
spp_stream4.c:3389: [F] Freeing 148 byte session
spp_stream4.c:3498: 1 streams active, 2371 bytes in use
spp_stream4.c:1720: pcount stream packet 2675

####Oh crap, more data in the session.  stream4 can't find a session so
it makes a new one.  This is the packet that the extra data in the event
came from, btw.
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640404350, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3461: Unable to find session
spp_stream4.c:1758: Calling CreateNewSession()
spp_stream4.c:2910: [A] initializing new session (148 bytes)
spp_stream4.c:3106: Inserting session into session tree...
spp_stream4.c:1778: Picking up session midstream
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (1434 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 1434 bytes for packet
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250562) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 2 streams active, 4009 bytes in use
spp_stream4.c:1720: pcount stream packet 2676
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640405730, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 1380, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (1434 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 1434 bytes for packet
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250562) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 2 streams active, 5499 bytes in use
spp_stream4.c:1720: pcount stream packet 2677
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2760, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640404350)
client.last_ack(1640404350) offset(0)
spp_stream4.c:4601: client.base_seq(1640404350)
client.last_ack(1640407174) client.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x103
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 5499 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2678
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2760, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640404350)
client.last_ack(1640407174) offset(2824)
spp_stream4.c:4601: client.base_seq(1640404350)
client.last_ack(1640407174) client.next_seq(0)
spp_stream4.c:4616: Flushing Client packet buffer (2824 bytes a:
0x61C6A086 b: 0x61C6957E pkts: 2)
spp_stream4.c:3991: FlushStream Entered:last_ack(1640407174)
base_seq(1640404350) trCount(2)
gspp_stream4.c:411: (1640404350,1640407173,1640404350) = (low, high,
cur)
spp_stream4.c:411: (1640404350,1640407174,1640405730) = (low, high, cur)
spp_stream4.c:577: Copying 1380 bytes into buffer, offset 0, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1640404350)  s->last_ack (1640407174)
s->base_seq(1640404350) size: (1380) s->next_seq(1640405730), offset(0),
MAX(65481)
spp_stream4.c:411: (1640404350,1640407173,1640405730) = (low, high, cur)
spp_stream4.c:411: (1640404350,1640407174,1640407110) = (low, high, cur)
spp_stream4.c:577: Copying 1380 bytes into buffer, offset 1380, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1640405730)  s->last_ack (1640407174)
s->base_seq(1640404350) size: (1380) s->next_seq(1640407110),
offset(1380), MAX(65481)
spp_stream4.c:4256: bd.total_size(2760) < stream_size(2824):Incomplete
segment -- packet loss or weird
spp_stream4.c:4336: Built packet to 207.188.69.158 from fc6dad42 with
2824 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2679
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2680
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 ->  0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640407174)
client.last_ack(1640407174) offset(0)
spp_stream4.c:4601: client.base_seq(1640407174)
client.last_ack(1640407174) client.next_seq(1640407110)
spp_stream4.c:4629: 130 (0) bytes to go before we flush: (0) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2681
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 ->  0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640407174, pkt_ack: 1027250563
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80  cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011  cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250563) server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
spp_stream4.c:1720: pcount stream packet 2682

####now back to the other session
spp_stream4.c:1746: Got Packet 0x3B88A240:1695 ->  0xFA6DAD42:80
***AP***spp_stream4.c:1751: pkt_seq: 1480853378, pkt_ack: 123311182
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x3B88A240 sp: 1695  cip:
0xFA6DAD42 cp: 80 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFA6DAD42 sp: 80  cip: 0x3B88A240
cp: 1695 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2649, server: 1941884)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (93 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 93 bytes for packet
spp_stream4.c:4655: server.base_seq(121430018)
server.last_ack(123311182) server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 2668 bytes in use
spp_stream4.c:1720: pcount stream packet 2683

####this is the packet that is the first half of the 'cooked' stream4
packet.  Note that the client stream is flushed here.
spp_stream4.c:1746: Got Packet 0xFA6DAD42:80 ->  0x3B88A240:1695
***A****spp_stream4.c:1751: pkt_seq: 123311182, pkt_ack: 1480851998
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFA6DAD42 sp: 80  cip: 0x3B88A240
cp: 1695 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2688, server: 1941884)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1480850729)
client.last_ack(1480851998) offset(1269)
spp_stream4.c:4601: client.base_seq(1480850729)
client.last_ack(1480851998) client.next_seq(1480850729)
spp_stream4.c:4616: Flushing Client packet buffer (1269 bytes a:
0x5844021E b: 0x5843FD29 pkts: 2)
spp_stream4.c:3991: FlushStream Entered:last_ack(1480851998)
base_seq(1480850729) trCount(2)
gspp_stream4.c:411: (1480850729,1480851997,1480850729) = (low, high,
cur)
spp_stream4.c:411: (1480850729,1480851998,1480851998) = (low, high, cur)
spp_stream4.c:577: Copying 1269 bytes into buffer, offset 0, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1480850729)  s->last_ack (1480851998)
s->base_seq(1480850729) size: (1269) s->next_seq(1480851998), offset(0),
MAX(65481)
spp_stream4.c:411: (1480850729,1480851997,1480853378) = (low, high, cur)
spp_stream4.c:411: (1480850729,1480851997,1480853378) = (low, high, cur)
spp_stream4.c:633:    => Segment is past last ack'd data, ignoring for
now...
spp_stream4.c:633:         => (39 bytes @ seq 0x58440782, ack:
0x5844021E)
spp_stream4.c:4336: Built packet to 64.162.136.59 from fa6dad42 with
2649 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2684
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:4078: Flusing stream due to an alert!
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:4082: Don't Flush a Rebuilt Stream
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 1289 bytes in use
spp_stream4.c:1720: pcount stream packet 2685


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Stream4 Mangling? (more details/debugging) SRH-Lists (Jun 02)
- <Possible follow-ups>
- RE: Stream4 Mangling? (more details/debugging) SRH-Lists (Jun 03)