Snort mailing list archives

tcp_decode logging

From: vulnerable <vulnerable () gmail com>
Date: Thu, 13 Apr 2006 11:43:51 -0700

Recently i've been recieving lots of 'tcp experimental options' alerts
through the tcp_decoder.

I am using barnyard w/ unified logging however the tcp options are not
being logged.  Is this by design?  I can't find any firm answers.  I'd
like to enable this if I can.

And since this isn't being logged I can't find the cause,  I'm
assuming it's a false positive though.  Random packet captures show
the options such as:

| 02 04 05 78 01 01 04 02 4c 0a 00 40  01 01 0a 70 01 1e 00 05 01 00  |
which ethereal decodes as MSS 1400 NOP NOP SACK Unknown 0x4c NOP EOL

But I'm only assuming this is the bad packet since none of the flagged
packets are being logged by snort...

Is it recommended that I disable this alert w/ config
disable_tcpopt_experimental_alerts?  Still, I'd prefer to fix or
understand the issue before disabling the alert.  What are the general
causes of these experimental options?

tia


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

tcp_decode logging vulnerable (Apr 13)
- Re: tcp_decode logging Will Metcalf (Apr 13)
  - Re: tcp_decode logging vulnerable (Apr 13)