Acid TCP options

["Selder, Patrick [NCSBE - Non JJ]" <PSELDER () ncsbe jnj com>]

I have found a few alerts that look weird in my eyes. Maybe someone can
clear the mist for me.

The alert is triggerd for connecting to the ftp service. Normal the TCP
flags are r1=X r0=X syn=X seq=..... offset 10, this is blocked and logged
from the firewall.

Now i'm getting a connection attempt to port 21 with the following TCP flags
r1= r0= syn=x seq=..... offset 7, but no blocking rules from the firewall.
Did the packet go thru? I have no ftp-service running though. Or could it be
a false positive?

My simple snort rule is: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:
FTP connection attempt";flags: S+; classtype:bad-unknown;)
Is this rule correct for this?

Can someone explain the TCP flags r1, r0,urg and psh?


Thanks and best regards,
Patrick Selder
e-Business Operations Team
Networking & Computing Services
Johnson & Johnson
tel. +32-14-606438