Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP header reserved bits

From: Y M <snort () outlook com>
Date: Tue, 28 Jul 2015 18:06:24 +0000
Thanks Geoffrey.

Interesting. My interpretation of the documentation and aligning that with the TCP header, the "E" and "C" flags will 
check whether the last 2 bits of of the higher order bits of byte offset 13, i.e.: CWR and ECE. Precisely, I was 
attempting to address the match against the first 3 bits of the lower order bits of byte offset 12 excluding the 
ECN-E/NS bit, similar to what is described in RFC4413, or at least my interpretation of it.

I could be completely off here, so please correct if I am wrong.

Thanks again!
YM

Date: Tue, 28 Jul 2015 13:38:29 -0400
Subject: Re: [Snort-sigs] TCP header reserved bits
From: gserrao () sourcefire com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net

YM,

It looks like you can still use 'flags:2' to check if the low order reserved bits field in a TCP header have been set. 

229             case '1': /* reserved bit flags */
230             case 'c':
231             case 'C':
232                 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced, RFC 3168 */
233                 break;
234 
235             case '2': /* reserved bit flags */
236             case 'e':
237             case 'E':
238                 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
239                 break;





From the online snort manual under the 'flags' keyword section: 


The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, 
to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP".
The old values of '1' and '2' are still valid for the flag keyword, but
are now deprecated.



On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort () outlook com> wrote:



I was wondering if there is a content modifier or some way to check whether the low order reserved bits of byte offset 
12 in the TCP header is set. There is nothing I could find about this in the documentation. I also checked gid:129 
rules and couldn't infer that the check/detection is available.

Any pointers or help is welcome.

Thanks.
YM
                                          

------------------------------------------------------------------------------


_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!

                                          
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: