Snort mailing list archives
Re: TCP flags issue
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 10 Feb 2015 01:29:18 +0000
I am assuming that you are using the SFSnortPacket pointer (p) for your program. I have tested this using the default example provided with snort. It alerts as expected with the same setup you have below: if (p->tcp_header->flags & TCPHEADER_SYN){ printf("SYN PACKET!!!!\n"); } I have attached the spp_example.c , conf and pcap used for the test. The changes I made in the spp_example.c are under the “ExampleProcess” function. I inserted your code there. The pcap has 3 packets. Two that have the syn flag set and one with only an ack flag. The two syns alert as expected. root@debian-7:/var/tmp/snort-2.9.7.0-released-EDITED# ./bin/snort -c etc/syntest.conf -r etc/synpacket.pcapng -Acmg -k none -q SYN PACKET!!!! SYN PACKET!!!! Hope this helps! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: sajjad purmohseni [mailto:spurmohseni () yahoo com] Sent: Thursday, February 05, 2015 5:55 PM To: Steve Sturges (ststurge); Balasubramaniam Natarajan Cc: Snort-devel Mailinglist Subject: Re: [Snort-devel] TCP flags issue Thanks for replying; Now I know where is the ninth bit. But this conditions is never taken in my code: if (p->tcp_header->flags & TCPHEADER_SYN){ //0x02 /* ... */ } I believe that must be taken. Is there anything wrong? Thank you Sajad On Wednesday, February 4, 2015 6:59 PM, Steven Sturges <ststurge () cisco com<mailto:ststurge () cisco com>> wrote: Per updates to the TCP specification, there are 8 bits of flags in the TCP flags section. The additional "flag" is really part of the adjacent 8 bits that cover the Data Offset & Reserved fields. The ECN Nonce is "flag" 9, aka bit 1 of that adjacent octet. Use bit 1 of offset_reserved in TCPHeader if you need to check that in a dynamic module that uses sf_snort_packet.h. On 2/4/15 3:10 AM, Balasubramaniam Natarajan wrote: On Wed, Feb 4, 2015 at 3:12 AM, sajjad purmohseni <spurmohseni () yahoo com<mailto:spurmohseni () yahoo com>> wrote: Hi all As you know TCP has 9 flags. But as you see TCP flags of snort is 8 bits defined in sf_snort_packet.h file: For all I know TCP has just 6 Flags in use currently. typedef struct _TCPHeader { ... uint8_t flags; ... } TCPHeader; also predefinded flags are 9 bits as must be: #define TCPHEADER_FIN 0x01 #define TCPHEADER_SYN 0x02 ... Now I am confused if I want to check TCP_SYN flag; how to do that. I have used this but it doesn't return correct answer: I believe the 13 offset of TCP header should be 0x03 for SYN&FIN. if (packet->tcp_header->flags & TCPHEADER_SYN){ ... } Can anybody guide me about this issue? Thank you. ---- kind regards; Sajad Pourmohseni -- Regards, Balasubramaniam Natarajan http://blog.etutorshop.com<http://blog.etutorshop.com/> ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!
Attachment:
spp_example.c
Description: spp_example.c
Attachment:
syntest.pcapng
Description: syntest.pcapng
Attachment:
syntest.conf
Description: syntest.conf
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TCP flags issue sajjad purmohseni (Feb 03)
- Re: TCP flags issue Balasubramaniam Natarajan (Feb 04)
- Re: TCP flags issue Steven Sturges (Feb 04)
- Re: TCP flags issue sajjad purmohseni (Feb 05)
- Re: TCP flags issue Al Lewis (allewi) (Feb 09)
- Re: TCP flags issue Steven Sturges (Feb 04)
- Re: TCP flags issue Balasubramaniam Natarajan (Feb 04)