Snort mailing list archives
Re: TCP header reserved bits
From: Y M <snort () outlook com>
Date: Tue, 28 Jul 2015 18:06:24 +0000
Thanks Geoffrey. Interesting. My interpretation of the documentation and aligning that with the TCP header, the "E" and "C" flags will check whether the last 2 bits of of the higher order bits of byte offset 13, i.e.: CWR and ECE. Precisely, I was attempting to address the match against the first 3 bits of the lower order bits of byte offset 12 excluding the ECN-E/NS bit, similar to what is described in RFC4413, or at least my interpretation of it. I could be completely off here, so please correct if I am wrong. Thanks again! YM Date: Tue, 28 Jul 2015 13:38:29 -0400 Subject: Re: [Snort-sigs] TCP header reserved bits From: gserrao () sourcefire com To: snort () outlook com CC: snort-sigs () lists sourceforge net YM, It looks like you can still use 'flags:2' to check if the low order reserved bits field in a TCP header have been set. 229 case '1': /* reserved bit flags */ 230 case 'c': 231 case 'C': 232 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced, RFC 3168 */ 233 break; 234 235 case '2': /* reserved bit flags */ 236 case 'e': 237 case 'E': 238 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */ 239 break;
From the online snort manual under the 'flags' keyword section:
The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP". The old values of '1' and '2' are still valid for the flag keyword, but are now deprecated. On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort () outlook com> wrote: I was wondering if there is a content modifier or some way to check whether the low order reserved bits of byte offset 12 in the TCP header is set. There is nothing I could find about this in the documentation. I also checked gid:129 rules and couldn't infer that the check/detection is available. Any pointers or help is welcome. Thanks. YM ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TCP header reserved bits Y M (Jul 28)
- Re: TCP header reserved bits Geoffrey Serrao (Jul 28)
- Re: TCP header reserved bits Y M (Jul 28)
- Re: TCP header reserved bits Geoffrey Serrao (Jul 28)
- Re: TCP header reserved bits Geoffrey Serrao (Jul 28)
- Re: TCP header reserved bits Y M (Jul 28)
- Re: TCP header reserved bits Y M (Jul 28)
- Re: TCP header reserved bits Geoffrey Serrao (Jul 28)