Snort mailing list archives
tcp_decode logging
From: vulnerable <vulnerable () gmail com>
Date: Thu, 13 Apr 2006 11:43:51 -0700
Recently i've been recieving lots of 'tcp experimental options' alerts through the tcp_decoder. I am using barnyard w/ unified logging however the tcp options are not being logged. Is this by design? I can't find any firm answers. I'd like to enable this if I can. And since this isn't being logged I can't find the cause, I'm assuming it's a false positive though. Random packet captures show the options such as: | 02 04 05 78 01 01 04 02 4c 0a 00 40 01 01 0a 70 01 1e 00 05 01 00 | which ethereal decodes as MSS 1400 NOP NOP SACK Unknown 0x4c NOP EOL But I'm only assuming this is the bad packet since none of the flagged packets are being logged by snort... Is it recommended that I disable this alert w/ config disable_tcpopt_experimental_alerts? Still, I'd prefer to fix or understand the issue before disabling the alert. What are the general causes of these experimental options? tia ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcp_decode logging vulnerable (Apr 13)
- Re: tcp_decode logging Will Metcalf (Apr 13)
- Re: tcp_decode logging vulnerable (Apr 13)
- Re: tcp_decode logging Will Metcalf (Apr 13)