Bluehost.com Web Hosting $6.95

RE: [Snort-users] Stream4 Mangling? (more details/debugging)

This is a discussion on RE: [Snort-users] Stream4 Mangling? (more details/debugging) within the Snort forums, part of the System Security and Security Related category; > > According to snort, this packet happened. I have the full pcap of the > session if it is ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page RE: [Snort-users] Stream4 Mangling? (more details/debugging)

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-02-2004
SRH-Lists
 
Posts: n/a
Default RE: [Snort-users] Stream4 Mangling? (more details/debugging)
>
> According to snort, this packet happened. I have the full pcap of the
> session if it is needed to recreate the error. Needless to say, there
> was no such packet on the wire or in the pcap, it is two separate
> packets, one from the client and a response from the server bashed
> together. Note the 0A0D0A0D after the cookie, that is where
> this packet
> should really end.
>
> snort 2.1.2 on OpenBSD 3.4
>
>
>
> --------------------------------------------------------------
> ----------
> Count:3 Event#5.6665 2004-05-27 17:35:22
> WEB-MISC cross site scripting attempt
> a.b.c.d -> e.f.g.h
> IPVer=4 hlen=5 tos=16 dlen=2689 ID=0 flags=0 offset=0 ttl=240 chksum=1
> Protocol: 6 sport=1695 -> dport=80
>
> Seq=123311182 Ack=1480851998 Off=5 Res=0 Flags=***AP***
> Win=16560 urp=0
> chksum=0
> Payload:
> 47 45 54 20 2F 45 6D 62 6C 69 62 72 61 72 79 2F GET /xxxxxxxxxx/
> 70 72 6F 64 75 63 74 2E 61 73 70 3F 63 61 74 61 product.asp?cata
> 6C 6F 67 25 35 46 6E 61 6D 65 3D 45 6D 62 6C 69 log%5Fname=xxxxx
> 36 36 45 34 43 41 42 34 31 38 31 34 34 33 39 31 66E4CAB418144391
> 31 46 42 38 43 35 45 37 44 33 31 33 36 41 46 45 1FB8C5E7D3136AFE
> --cut--
> 42 44 37 41 33 45 46 45 43 36 35 30 35 32 42 42 BD7A3EFEC65052BB
> 41 44 42 38 42 44 30 39 46 42 46 35 41 39 38 33 ADB8BD09FBF5A983
> 32 43 32 30 38 37 32 45 37 33 44 35 43 36 34 43 2C20872E73D5C64C
> 46 42 30 36 33 45 42 35 46 45 41 45 42 34 42 42 FB063EB5FEAEB4BB
> 41 44 3B 20 41 53 50 53 45 53 53 49 4F 4E 49 44 AD; ASPSESSIONID
> 43 43 41 42 51 41 43 42 3D 50 48 4A 4E 49 4B 49 CCABQACB=PHJNIKI
> 43 41 4D 4D 4A 44 4E 4A 50 4E 42 4F 4B 47 4C 48 CAMMJDNJPNBOKGLH
> 44 0D 0A 0D 0A 65 3D 22 43 4F 4C 4F 52 3A 30 30 D....e="COLOR:00
> 30 30 30 30 3B 20 46 4F 4E 54 3A 20 31 33 70 74 0000; FONT: 13pt
> 2F 31 35 70 74 20 76 65 72 64 61 6E 61 22 3E 3C /15pt verdana"><
> 21 2D 2D 50 72 6F 62 6C 65 6D 2D 2D 3E 54 68 65 !--Problem-->The
> 20 70 61 67 65 20 63 61 6E 6E 6F 74 20 62 65 20 page cannot be
> 66 6F 75 6E 64 3C 2F 68 31 3E 0D 0A 20 20 20 20 found</h1>..

Here is what is happening. I isolated where the data that was tacked on
to the end of this 'cooked' stream4 packet came from and found something
odd. Here is how it goes.

1) session from a.b.c.d:1695 to e.f.g.h:80 established
2) session from i.j.k.l:63011 to m.n.o.p:80 established
3) m.n.o.p sends a FIN ACK to i.j.k.l
4) i.j.k.l catches up on a few ACK's then gives a FIN ACK to m.n.o.p
5) m.n.o.p ACKs the FIN ACK from i.j.k.l and stream4 flushes and drops
the session
6) a few more ACK come in from i.j.k.l (out of order, these were ACK
for data earlier in the session)
7) stream4 doesn't know what to do with these ack, so it creates a new
session
8) data e.f.g.h->a.b.c.d happens and a client stream flush occurs. The
recreated packet contains data from the 'orphan' i.j.k.l->m.n.o.p
session


stream4 debugs (look for ###comments### inline)
####here is the FIN from the server###
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A***Fspp_stream4.c:1751: pkt_seq: 1640407173, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1880: server packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_SERVER
spp_stream4.c:1460: SetFinSet() called for FROM_SERVER
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2114: Got FIN ACK (0x11)
spp_stream4.c:2120: Client Transition: CLOSE_WAIT
spp_stream4.c:2120: Server Transition: FIN_WAIT_1
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2666
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640402970
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2473: Server state: FIN_WAIT_1
spp_stream4.c:2510: Server Transition: FIN_WAIT_2
spp_stream4.c:2510: Client Transition: CLOSE_WAIT
spp_stream4.c:4655: server.base_seq(1640324431)
server.last_ack(1640402970) server.next_seq(1640407173)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2667
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640402970, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 78602)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314: Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2668
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640404350, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 79982)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314: Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2669
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640405730, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 81362)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2281: Client state: CLOSE_WAIT
spp_stream4.c:2314: Server Transition: FIN_WAIT_2
spp_stream4.c:4575: client.base_seq(1027249968)
client.last_ack(1027250562) offset(594)
spp_stream4.c:4601: client.base_seq(1027249968)
client.last_ack(1027250562) client.next_seq(1027249968)
spp_stream4.c:4629: -405 (594) bytes to go before we flush: (1) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2670
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640405730
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2671
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:4473: returning -- action nothing
spp_stream4.c:1958: Stream is established!,ssnflags = 0x407
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2672

####After catching up on some ACKs the client FINACKs
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A***Fspp_stream4.c:1751: pkt_seq: 1027250562, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A***F
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A***F
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1886: client packet: ***A***F
spp_stream4.c:2038: Marking that a fin was was sent FROM_CLIENT
spp_stream4.c:1460: SetFinSet() called for FROM_CLIENT
spp_stream4.c:2518: Server state: FIN_WAIT_2
spp_stream4.c:2526: Client Transition: LAST_ACK
spp_stream4.c:2526: Server Transition: TIME_WAIT
spp_stream4.c:4655: server.base_seq(1640324431)
server.last_ack(1640407173) server.next_seq(1640407173)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x607
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 3223 bytes in use
spp_stream4.c:1720: pcount stream packet 2673

####the server ACK's the FINACK and the session is disposed of.
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640402970, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 594, server: 82742)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2265: Client state: LAST_ACK
spp_stream4.c:2271: Client Transition: CLOSED
spp_stream4.c:4693: flushing server stream, ending session: 0
spp_stream4.c:4711: flushing client stream, ending session
spp_stream4.c:3991: FlushStream Entered:last_ack(1027250562)
base_seq(1027249968) trCount(1)
gspp_stream4.c:411: (1027249968,1027250561,1027249968) = (low, high,
cur)
spp_stream4.c:411: (1027249968,1027250562,1027250562) = (low, high, cur)
spp_stream4.c:577: Copying 594 bytes into buffer, offset 0, buf 0x1d8046
spp_stream4.c:582: spd->seq_num (1027249968) s->last_ack (1027250562)
s->base_seq(1027249968) size: (594) s->next_seq(1027250562), offset(0),
MAX(65481)
spp_stream4.c:4336: Built packet to 66.173.109.252 from 9e45bccf with
594 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2674
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:4728: Dumping session
spp_stream4.c:3379: Dropping session 0x1c9a700
spp_stream4.c:3389: [F] Freeing 148 byte session
spp_stream4.c:3498: 1 streams active, 2371 bytes in use
spp_stream4.c:1720: pcount stream packet 2675

####Oh crap, more data in the session. stream4 can't find a session so
it makes a new one. This is the packet that the extra data in the event
came from, btw.
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640404350, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3461: Unable to find session
spp_stream4.c:1758: Calling CreateNewSession()
spp_stream4.c:2910: [A] initializing new session (148 bytes)
spp_stream4.c:3106: Inserting session into session tree...
spp_stream4.c:1778: Picking up session midstream
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (1434 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 1434 bytes for packet
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250562) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 2 streams active, 4009 bytes in use
spp_stream4.c:1720: pcount stream packet 2676
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640405730, pkt_ack: 1027250562
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 1380, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (1434 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 1434 bytes for packet
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250562) server.next_seq(0)
spp_stream4.c:1964: Stream is not established!
spp_stream4.c:3498: 2 streams active, 5499 bytes in use
spp_stream4.c:1720: pcount stream packet 2677
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2760, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640404350)
client.last_ack(1640404350) offset(0)
spp_stream4.c:4601: client.base_seq(1640404350)
client.last_ack(1640407174) client.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x103
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 5499 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2678
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2760, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640404350)
client.last_ack(1640407174) offset(2824)
spp_stream4.c:4601: client.base_seq(1640404350)
client.last_ack(1640407174) client.next_seq(0)
spp_stream4.c:4616: Flushing Client packet buffer (2824 bytes a:
0x61C6A086 b: 0x61C6957E pkts: 2)
spp_stream4.c:3991: FlushStream Entered:last_ack(1640407174)
base_seq(1640404350) trCount(2)
gspp_stream4.c:411: (1640404350,1640407173,1640404350) = (low, high,
cur)
spp_stream4.c:411: (1640404350,1640407174,1640405730) = (low, high, cur)
spp_stream4.c:577: Copying 1380 bytes into buffer, offset 0, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1640404350) s->last_ack (1640407174)
s->base_seq(1640404350) size: (1380) s->next_seq(1640405730), offset(0),
MAX(65481)
spp_stream4.c:411: (1640404350,1640407173,1640405730) = (low, high, cur)
spp_stream4.c:411: (1640404350,1640407174,1640407110) = (low, high, cur)
spp_stream4.c:577: Copying 1380 bytes into buffer, offset 1380, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1640405730) s->last_ack (1640407174)
s->base_seq(1640404350) size: (1380) s->next_seq(1640407110),
offset(1380), MAX(65481)
spp_stream4.c:4256: bd.total_size(2760) < stream_size(2824):Incomplete
segment -- packet loss or weird
spp_stream4.c:4336: Built packet to 207.188.69.158 from fc6dad42 with
2824 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2679
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2680
spp_stream4.c:1746: Got Packet 0xFC6DAD42:63011 -> 0x9E45BCCF:80
***A****spp_stream4.c:1751: pkt_seq: 1027250563, pkt_ack: 1640407174
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1640407174)
client.last_ack(1640407174) offset(0)
spp_stream4.c:4601: client.base_seq(1640407174)
client.last_ack(1640407174) client.next_seq(1640407110)
spp_stream4.c:4629: 130 (0) bytes to go before we flush: (0) segments
stored
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
sp_clientserver.c:317: CheckFromClient: returning 0
spp_stream4.c:1720: pcount stream packet 2681
spp_stream4.c:1746: Got Packet 0x9E45BCCF:80 -> 0xFC6DAD42:63011
***A****spp_stream4.c:1751: pkt_seq: 1640407174, pkt_ack: 1027250563
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x9E45BCCF sp: 80 cip: 0xFC6DAD42
cp: 63011 flags: ***A****
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFC6DAD42 sp: 63011 cip:
0x9E45BCCF cp: 80 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***A****
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:4655: server.base_seq(1027250562)
server.last_ack(1027250563) server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x107
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 2519 bytes in use
spp_stream4.c:1720: pcount stream packet 2682

####now back to the other session
spp_stream4.c:1746: Got Packet 0x3B88A240:1695 -> 0xFA6DAD42:80
***AP***spp_stream4.c:1751: pkt_seq: 1480853378, pkt_ack: 123311182
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x3B88A240 sp: 1695 cip:
0xFA6DAD42 cp: 80 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...
spp_stream4.c:3455: Looking for sip: 0xFA6DAD42 sp: 80 cip: 0x3B88A240
cp: 1695 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2649, server: 1941884)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (93 bytes)
spp_stream4.c:3702: [A] Allocating 56 bytes for StreamPacketData
spp_stream4.c:3713: [A] Allocating 93 bytes for packet
spp_stream4.c:4655: server.base_seq(121430018)
server.last_ack(123311182) server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 2 streams active, 2668 bytes in use
spp_stream4.c:1720: pcount stream packet 2683

####this is the packet that is the first half of the 'cooked' stream4
packet. Note that the client stream is flushed here.
spp_stream4.c:1746: Got Packet 0xFA6DAD42:80 -> 0x3B88A240:1695
***A****spp_stream4.c:1751: pkt_seq: 123311182, pkt_ack: 1480851998
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0xFA6DAD42 sp: 80 cip: 0x3B88A240
cp: 1695 flags: ***A****
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 2688, server: 1941884)
spp_stream4.c:1880: server packet: ***A****
spp_stream4.c:2108: Client state: ESTABLISHED
spp_stream4.c:2183: ACKING Client Data
spp_stream4.c:4575: client.base_seq(1480850729)
client.last_ack(1480851998) offset(1269)
spp_stream4.c:4601: client.base_seq(1480850729)
client.last_ack(1480851998) client.next_seq(1480850729)
spp_stream4.c:4616: Flushing Client packet buffer (1269 bytes a:
0x5844021E b: 0x5843FD29 pkts: 2)
spp_stream4.c:3991: FlushStream Entered:last_ack(1480851998)
base_seq(1480850729) trCount(2)
gspp_stream4.c:411: (1480850729,1480851997,1480850729) = (low, high,
cur)
spp_stream4.c:411: (1480850729,1480851998,1480851998) = (low, high, cur)
spp_stream4.c:577: Copying 1269 bytes into buffer, offset 0, buf
0x1d8046
spp_stream4.c:582: spd->seq_num (1480850729) s->last_ack (1480851998)
s->base_seq(1480850729) size: (1269) s->next_seq(1480851998), offset(0),
MAX(65481)
spp_stream4.c:411: (1480850729,1480851997,1480853378) = (low, high, cur)
spp_stream4.c:411: (1480850729,1480851997,1480853378) = (low, high, cur)
spp_stream4.c:633: => Segment is past last ack'd data, ignoring for
now...
spp_stream4.c:633: => (39 bytes @ seq 0x58440782, ack:
0x5844021E)
spp_stream4.c:4336: Built packet to 64.162.136.59 from fa6dad42 with
2649 byte payload, Direction: from_client
spp_stream4.c:4343: packet is from client!
spp_stream4.c:1720: pcount stream packet 2684
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:4078: Flusing stream due to an alert!
spp_stream4.c:1503: REBUILT_STREAM returning
spp_stream4.c:4082: Don't Flush a Rebuilt Stream
spp_stream4.c:671: [sct] chucking used segment
spp_stream4.c:1958: Stream is established!,ssnflags = 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2010: pkt is from server
spp_stream4.c:3498: 2 streams active, 1289 bytes in use
spp_stream4.c:1720: pcount stream packet 2685


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 02:37 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0