[Snort-inline-users] stream4 preproc v2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I think that I might have found the root of our problem regarding strea=
m4.
After doing some debugging, it appears as if stream4 resets the stream
after an alert, due to the way we drop traffic I always see multiple
alerts, which I assume means that the attacking computer tries to
retransmit the same packet over and over again.  I sent an e-mail to th=
e
snort-devel mailing list to see if they knew how to disable the flushin=
g of
the stream due to an alert.  Notice the line that reads

 spp_stream4.c:4078: Flusing stream due to an alert!

If we can fix this, I bet stream4 will work for us.

Regards,

Will

spp_stream4.c:1720: pcount stream packet 31
spp_stream4.c:1746: Got Packet 0x6401A8C0:2948 ->  0x6501A8C0:80
***AP***spp_stream4.c:1751: pkt_seq: 2241703975, pkt_ack: 1212128272
spp_stream4.c:3432: Trying to get session...
spp_stream4.c:3440: Looking for sip: 0x6401A8C0 sp: 2948  cip: 0x6501A8=
C0
cp: 80 flags: ***AP***
spp_stream4.c:3447: GetSession forward didn't work, trying backwards...=

spp_stream4.c:3455: Looking for sip: 0x6501A8C0 sp: 80  cip: 0x6401A8C0=
 cp:
2948 flags: ***AP***
spp_stream4.c:3465: Found session
spp_stream4.c:1874: [i] Tracked Bytes: (client: 0, server: 0)
spp_stream4.c:1886: client packet: ***AP***
spp_stream4.c:2409: Server state: ESTABLISHED
spp_stream4.c:3608: Storing client packet (426 bytes)
spp_stream4.c:3655: EVASIVE RETRANS: pkt seq: 0x859DB027 stream->last_a=
ck:
0x859DB1A9
spp_stream4.c:4655: server.base_seq(1212128272) server.last_ack(1212128=
272)
server.next_seq(0)
spp_stream4.c:1958: Stream is established!,ssnflags =3D 0x7
spp_stream4.c:1999: Marking stream as established
spp_stream4.c:2004: pkt is from client
spp_stream4.c:3498: 1 streams active, 992 bytes in use
spp_stream4.c:1674: Prune time quanta exceeded, pruning stream cache
spp_stream4.c:1685: Pruned for timeouts, 1 sessions active, 992 bytes i=
n
use
spp_stream4.c:1685: Stream4 memory cap hit 0 times
spp_stream4.c:4078: Flusing stream due to an alert!
spp_stream4.c:4103: [AFS] Bytes Tracked: 386
spp_stream4.c:4106: [AFS] Bytes Tracked: 0
spp_stream4.c:4115: Moved the base_seq to 2241704361!=