Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Undeliverable:Questions about TCP Options (fwd)

From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 18 Mar 2005 13:12:22 -0600
Can we please unsubscribe this address. I've been getting bounces from it for weeks now. 

------------ Forwarded Message ------------
Date: Friday, March 18, 2005 01:03:16 PM -0600
From: System Administrator <postmaster () utdevs08 utdallas edu>
To: "Schmehl, Paul L" <pauls () utdallas edu>
Cc:
Subject: Undeliverable:[Snort-users] Questions about TCP Options

Your message

 To:      snort-users () lists sourceforge net
 Subject: [Snort-users] Questions about TCP Options
 Sent:    Fri, 18 Mar 2005 13:00:40 -0600

did not reach the following recipient(s):

anjah () imedia fr on Fri, 18 Mar 2005 13:06:23 -0600
   The e-mail account does not exist at the organization this message
was sent to.  Check the e-mail address, or contact the recipient
directly to find out the correct address.
   <imedia-hvj182q6.imedia.net #5.1.1>

---------- End Forwarded Message ----------



Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
--- Begin Message --- From: "System Administrator" <postmaster () utdevs08 utdallas edu>
Date: Fri, 18 Mar 2005 13:03:16 -0600
Your message

  To:      snort-users () lists sourceforge net
  Subject: [Snort-users] Questions about TCP Options
  Sent:    Fri, 18 Mar 2005 13:00:40 -0600

did not reach the following recipient(s):

anjah () imedia fr on Fri, 18 Mar 2005 13:06:23 -0600
    The e-mail account does not exist at the organization this message
was sent to.  Check the e-mail address, or contact the recipient
directly to find out the correct address.
    <imedia-hvj182q6.imedia.net #5.1.1>

Reporting-MTA: dns; UTDEVS08.campus.ad.utdallas.edu

Final-Recipient: RFC822; anjah@imedia.fr
Action: failed
Status: 5.1.1
X-Supplementary-Info: <imedia-hvj182q6.imedia.net #5.1.1>
X-Display-Name: anjah@imedia.fr
--- Begin Message --- From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 18 Mar 2005 13:00:40 -0600
I have some questions about three alerts.  All three are generated by 
preprocessors:

Truncated TCP Options
Experimental TCP Options
Stealth Activity Detected

In all three cases, viewing the data in BASE, the options fields are "None" 
for both IP and TCP.  In all three cases there is no payload.

What exactly is snort detecting that sets off these alerts?

Here's an example of one raw packet:

03/17-23:00:01.914868 129.110.95.215:46597 -> 67.123.84.30:22
TCP TTL:63 TOS:0x0 ID:41027 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0x5F5AF2EC  Ack: 0xFD988884  Win: 0x7D4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 20862021 1159970956
00 00 00 0C 0A 15 00 00 00 00 00 00 00 00 00 00  ................

This shows the options as NOP, NOP, TS.

I know what the available options are - 
<http://www.iana.org/assignments/tcp-parameters>

But I don't know what "truncated" options are.  There's two octets set 
aside for options.  Does "truncated" mean the kind octet is set but the 
length octet is not?  Or vice versa?  (And how the heck did Skeeter and 
Bubba get in there anyway?)

What does "Experimental" options mean?  Is that referring to SACK?  Why are 
they noteworthy?

Let the packet monkeys speak.  :-)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--- End Message ---

--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: