Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 2.3.3 --enable-flexresp

From: Rich Adamson <radamson () routers com>
Date: Mon, 25 Apr 2005 12:56:51 -0600
When you use a telnet client to generate test traffic, the telnet client
will generally send one TCP segment per character because the telnet
client explicitly disables the nagle algorithm.



Side note: this depends a LOT on which telnet client you use. Apparently
some telnet clients do send data in bursts under some circumstances, and
others send it byte-by-byte.

In general, it's probably a better idea to test with netcat, or similar
tools which don't play games with what gets put on the wire..

However, it would be better if stream4 could re-assemble this, but AFAIK
it cannot. It's really more designed for simple segmentation cases, not
really slow byte-by-byte transfers.

For example, this packet was captured using the RedHat Linux telnet
client connecting to a sendmail server on port 25. No data was sent
until I hit CR:
           
"HELLO<cr/lf>" (hex 48 45 4c 4c 4f 0d 0a)

11:45:45.105951 10.0.0.xx.17098 > 192.168.50.xx.smtp: P [tcp sum ok]
1:8(7) ack 87 win 5840 <nop,nop,timestamp 351528130 182833090> (DF) [tos
 0x10]  (ttl 64, id 23716, len 59)
                         4510 003b 5ca4 4000 4006 e145 0a00 00xx
                         c0a8 32xx 42ca 0019 0edf e86f f6fb 2d7b
                         8018 16d0 4275 0000 0101 080a 14f3 e4c2
                         0ae5 cfc2 4845 4c4c 4f0d 0a


However, this stream came from telneting to the same server with the
Microsoft Windows command prompt telnet client, and it sent each
character as I typed it, and the server acknowledged each TCP segment
before I could type another character.
                
"H" (hex 48)      
11:47:48.028835 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
1:2(1) ack 87 win 64154 (DF) (ttl 128, id 13723, len 41)
                         4500 0029 359b 4000 8006 c42b 0a00 04xx
                         c0a8 32xx 0580 0019 13f4 6729 cdd4 7084
                         5018 fa9a ad18 0000 4800 0000 0000
11:47:48.028887 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
2 win 5840 (DF) (ttl 64, id 40418, len 40)
                         4500 0028 9de2 4000 4006 9be5 c0a8 32xx
                         0a00 04xx 0019 0580 cdd4 7084 13f4 672a
                         5010 16d0 d8eb 0000
"E" (hex 45)
11:47:48.654637 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
2:3(1) ack 87 win 64154 (DF) (ttl 128, id 13725, len 41)
                         4500 0029 359d 4000 8006 c429 0a00 04xx
                         c0a8 32xx 0580 0019 13f4 672a cdd4 7084
                         5018 fa9a b017 0000 4500 0000 0000
11:47:48.654688 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
3 win 5840 (DF) (ttl 64, id 56749, len 40)
                         4500 0028 ddad 4000 4006 5c1a c0a8 32xx
                         0a00 04xx 0019 0580 cdd4 7084 13f4 672b
                         5010 16d0 d8ea 0000
"L" (hex 4c)
11:47:49.141334 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
3:4(1) ack 87 win 64154 (DF) (ttl 128, id 13727, len 41)
                         4500 0029 359f 4000 8006 c427 0a00 04xx
                         c0a8 32xx 0580 0019 13f4 672b cdd4 7084
                         5018 fa9a a916 0000 4c00 0000 0000
11:47:49.141389 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
4 win 5840 (DF) (ttl 64, id 47892, len 40)
                         4500 0028 bb14 4000 4006 7eb3 c0a8 32xx
                         0a00 04xx 0019 0580 cdd4 7084 13f4 672c
                         5010 16d0 d8e9 0000
"L" (hex 4c)
11:47:49.474804 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
4:5(1) ack 87 win 64154 (DF) (ttl 128, id 13729, len 41)
                         4500 0029 35a1 4000 8006 c425 0a00 04xx
                         c0a8 32xx 0580 0019 13f4 672c cdd4 7084
                         5018 fa9a a915 0000 4c00 0000 0000
11:47:49.474865 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
5 win 5840 (DF) (ttl 64, id 43544, len 40)
                         4500 0028 aa18 4000 4006 8faf c0a8 32xx
                         0a00 04xx 0019 0580 cdd4 7084 13f4 672d
                         5010 16d0 d8e8 0000
"O" (hex 4f)
11:47:49.769274 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok]
5:6(1) ack 87 win 64154 (DF) (ttl 128, id 13731, len 41)
                         4500 0029 35a3 4000 8006 c423 0a00 04xx
                         c0a8 32xx 0580 0019 13f4 672d cdd4 7084
                         5018 fa9a a614 0000 4f00 0000 0000
11:47:49.769318 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack
6 win 5840 (DF) (ttl 64, id 50071, len 40)
                         4500 0028 c397 4000 4006 7630 c0a8 32xx
                         0a00 04xx 0019 0580 cdd4 7084 13f4 672e
                         5010 16d0 d8e7 0000


Telnet clients use a short duration timer to determine when to send
data. The timer is typically around 50 milliseconds or so, but can
vary by vendor, etc.  If you're very quick with keypresses, its usually
not too difficult to get two or three characters stuffed into each
packet (as an example only).

As you already mentioned, it does vary from one client to another.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: