Snort mailing list archives

Re: tcp_decode logging

From: vulnerable <vulnerable () gmail com>
Date: Thu, 13 Apr 2006 22:02:35 -0400

Multiple sources but appears to be confined to just two subnets, each
talking to random hosts on the internet.

On 4/13/06, Will Metcalf <william.metcalf () gmail com> wrote:


Are the alerts being generated from one source in particular?  If so
are the alerts being generated when that source is communicating with
another internal host?

Regards,

Will

On 4/13/06, vulnerable <vulnerable () gmail com> wrote:

Recently i've been recieving lots of 'tcp experimental options' alerts
through the tcp_decoder.

I am using barnyard w/ unified logging however the tcp options are not
being logged.  Is this by design?  I can't find any firm answers.  I'd
like to enable this if I can.

And since this isn't being logged I can't find the cause,  I'm
assuming it's a false positive though.  Random packet captures show
the options such as:

| 02 04 05 78 01 01 04 02 4c 0a 00 40  01 01 0a 70 01 1e 00 05 01 00  |
which ethereal decodes as MSS 1400 NOP NOP SACK Unknown 0x4c NOP EOL

But I'm only assuming this is the bad packet since none of the flagged
packets are being logged by snort...

Is it recommended that I disable this alert w/ config
disable_tcpopt_experimental_alerts?  Still, I'd prefer to fix or
understand the issue before disabling the alert.  What are the general
causes of these experimental options?

tia


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting

language

that extends applications into web and mobile media. Attend the live

webcast

and join the prime developer group breaking into this new coding

territory!

http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users

Current thread:

tcp_decode logging vulnerable (Apr 13)
- Re: tcp_decode logging Will Metcalf (Apr 13)
  - Re: tcp_decode logging vulnerable (Apr 13)