Re: spp_stream4: Possible RETRANSMISSION detection

[Mads Rasmussen <mads () cit com br>]

On Monday 20 August 2001 14:05, you wrote:
> On Mon, 20 Aug 2001, Mads Rasmussen wrote:
> > Anyone knows what this could be?
>
> Yep.

Could you tell me some more, please?

> > I hope it isn't evil, I have a lot a these packages coming.
> Depends.  Check out:  http://snort.sourcefire.com/docs/faq.html#3.14 for
> info on what's going on and why.

Well I tried running with the -z est flag but the alerts doesn't change, I 
guess that the checksums for the incoming packages doesn't match or something 
like that.

Before my time here, the server was configured with stronghold where the 
proxy funcion was enabled. Now we have removed this almost a year ago, but 
there are still requests coming. Could that be the cause of what I am seeing?

[**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**]
08/20-16:47:57.585886 193.253.192.85:1214 -> 200.246.37.4:3300
TCP TTL:111 TOS:0x0 ID:44713 IpLen:20 DgmLen:1400 DF
***A**** Seq: 0x396EEE38  Ack: 0x32D5CD39  Win: 0x43DD  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2714606 390515132

Another thing, the ports database that was on the snort site some time ago 
has vanished. Any chance of putting it on again?

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users