Snort mailing list archives
Undeliverable:Questions about TCP Options (fwd)
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 18 Mar 2005 13:12:22 -0600
Can we please unsubscribe this address. I've been getting bounces from it for weeks now.
------------ Forwarded Message ------------ Date: Friday, March 18, 2005 01:03:16 PM -0600 From: System Administrator <postmaster () utdevs08 utdallas edu> To: "Schmehl, Paul L" <pauls () utdallas edu> Cc: Subject: Undeliverable:[Snort-users] Questions about TCP Options Your message To: snort-users () lists sourceforge net Subject: [Snort-users] Questions about TCP Options Sent: Fri, 18 Mar 2005 13:00:40 -0600 did not reach the following recipient(s): anjah () imedia fr on Fri, 18 Mar 2005 13:06:23 -0600 The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. <imedia-hvj182q6.imedia.net #5.1.1> ---------- End Forwarded Message ---------- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
--- Begin Message --- From: "System Administrator" <postmaster () utdevs08 utdallas edu>
Date: Fri, 18 Mar 2005 13:03:16 -0600
Your message To: snort-users () lists sourceforge net Subject: [Snort-users] Questions about TCP Options Sent: Fri, 18 Mar 2005 13:00:40 -0600 did not reach the following recipient(s): anjah () imedia fr on Fri, 18 Mar 2005 13:06:23 -0600 The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. <imedia-hvj182q6.imedia.net #5.1.1>Reporting-MTA: dns; UTDEVS08.campus.ad.utdallas.edu Final-Recipient: RFC822; anjah@imedia.fr Action: failed Status: 5.1.1 X-Supplementary-Info: <imedia-hvj182q6.imedia.net #5.1.1> X-Display-Name: anjah@imedia.fr--- Begin Message --- From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 18 Mar 2005 13:00:40 -0600
I have some questions about three alerts. All three are generated by preprocessors: Truncated TCP Options Experimental TCP Options Stealth Activity Detected In all three cases, viewing the data in BASE, the options fields are "None" for both IP and TCP. In all three cases there is no payload. What exactly is snort detecting that sets off these alerts? Here's an example of one raw packet: 03/17-23:00:01.914868 129.110.95.215:46597 -> 67.123.84.30:22 TCP TTL:63 TOS:0x0 ID:41027 IpLen:20 DgmLen:68 DF ***AP*** Seq: 0x5F5AF2EC Ack: 0xFD988884 Win: 0x7D4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 20862021 1159970956 00 00 00 0C 0A 15 00 00 00 00 00 00 00 00 00 00 ................ This shows the options as NOP, NOP, TS. I know what the available options are - <http://www.iana.org/assignments/tcp-parameters> But I don't know what "truncated" options are. There's two octets set aside for options. Does "truncated" mean the kind octet is set but the length octet is not? Or vice versa? (And how the heck did Skeeter and Bubba get in there anyway?) What does "Experimental" options mean? Is that referring to SACK? Why are they noteworthy? Let the packet monkeys speak. :-) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--- End Message ---
--- End Message ---
Current thread:
- Undeliverable:Questions about TCP Options (fwd) Paul Schmehl (Mar 18)