Hosting Provided By

[Snort-devel] Odd behaviour of spp_stream4 "TCP checksum changed on retransmission" alert in Snort 2.0.0rc1

From: Pearce, Rob D <Rob.D.Pearce(at)team.telstra.com>
Date: Tue Apr 01 2003 - 18:33:29 EST

Hi,

I've just started doing some testing with Snort v2.0.0rc1 and I've noticed something strange which I thought was worth reporting - the "TCP checksum changed on retransmission (possible fragroute) detection" alert seems to be being triggered by packets where the _IP_ checksum has changed, rather than the TCP checksum - thus when packets are retransmitted with new IP IDs (and thus new IP checksums) this alert is being triggered, despite the TCP checksum remaining the same.

Packet captures of the packets in question are as follows (IP addresses and some data removed):

First packet:
[**] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute) detection [**]
04/01-23:30:06.887461 x.x.x.x:25 -> y.y.y.y:54667 TCP TTL:52 TOS:0x0 ID:55684 IpLen:20 DgmLen:66 DF ***AP**F Seq: 0xE7D37CC8 Ack: 0xE6188AF4 Win: 0xE100 TcpLen: 20 0x0000: 08 00 20 81 E3 75 00 E0 1E 33 B9 F8 08 00 45 00 ..
..u...3....E.

0x0010: 00 42 D9 84 40 00 34 06 5B CC xx xx xx xx yy yy
.B..@.4.[..'....

0x0020: yy yy 00 19 D5 8B E7 D3 7C C8 E6 18 8A F4 50 19
.2......|.....P.

0x0030: E1 00 5D 6F 00 00 32 32 30 20 48 65 6C 6C 6F 20 ..]o..220 Hello

Second packet:
[**] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute) detection [**]
04/01-23:31:10.891615 x.x.x.x:25 -> y.y.y.y:54667 TCP TTL:52 TOS:0x0 ID:398 IpLen:20 DgmLen:66 DF ***AP**F Seq: 0xE7D37CC8 Ack: 0xE6188AF4 Win: 0xE100 TcpLen: 20 0x0000: 08 00 20 81 E3 75 00 E0 1E 33 B9 F8 08 00 45 00 ..
..u...3....E.

0x0010: 00 42 01 8E 40 00 34 06 33 C3 xx xx xx xx yy yy
.B..@.4.3..'....

0x0020: yy yy 00 19 D5 8B E7 D3 7C C8 E6 18 8A F4 50 19
.2......|.....P.

0x0030: E1 00 5D 6F 00 00 32 32 30 20 48 65 6C 6C 6F 20 ..]o..220 Hello

The system I'm running it on is:

Architecture:      x86 PentiumII
OS:                Linux 2.2.14-12
Snort version:     2.0.0rc1
Preprocessors:     frag2, stream4, http_decode, bo, telnet_decode,
portscan
Rules:             Those from

http://www.snort.org/downloads/snortrules.tar.gz Output plugins: alert_syslog
Commandline: snort -d -c /opt/snort/config/snort.conf Snort error msgs: N/A

Is this the expected behaviour or something which shouldn't be happening?

Regards,
Rob Pearce
Telstra InterNetworking Solutions
ACT Firewall Team

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Apr 2 08:35:06 2003

Do you need help?

This message: [ Message body ]
Next message: zhangqs: "[Snort-devel] where and what name they are???"
Previous message: Chris Green: "Re: [Snort-devel] Snort 2.0rc2 patch to fix the Unix socket problem"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:04 EDT