Snort mailing list archives
Re: (snort_decoder): Truncated Tcp Options
From: MH <procana () insight rr com>
Date: Sun, 27 Apr 2003 08:00:27 -0400
Hi Jason,What the Truncated TCP options means is that a certain tcp option was set in the segment (identified by an option "Kind") but did not use
a corresponding length or reported an incorrect length.For example if a maximum segment size (MSS) option, kind = 2, is used it is followed by the length of that option including that option's data (Length = 4) . This way the stack knows to look at 4 bytes total for this particular option to find the option's data.
The packet trace for an MSS of 1460 might look like this ... 02 04 05 b4 ...Take a look at your snort dump or a packet trace that tripped this alert and look for the offending "Kind" of option that was set. Next to that you will see what it is reporting as the length of the option. The reported length would place the data for that option beyond the allotted space to the options within the segment. Reference the parameters list here: http://www.iana.org/assignments/tcp-parameters
Clear as mud right?You can turn this off within your snort.conf file by adding the line "config disable_tcpopt_alerts"
Hope this helps, Mike _ ( ) ASCII ribbon campaign X against HTML email / \ At 04:53 PM 4/26/2003 -0400, Jason Beveridge wrote:
Hi, I am a newbie. I keep getting a lot of alerts listed as: (snort_decoder): Truncated Tcp Options. There's no snort ID for them - it seems they are junk. What is this and how can I get rid of it? Any info is appreciated. Jason ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (snort_decoder): Truncated Tcp Options Jason Beveridge (Apr 26)
- Re: (snort_decoder): Truncated Tcp Options MH (Apr 27)