Snort mailing list archives
Flags keyword still doesn't treat rserved bits as ECE and CWR
From: <Joshua.Kinard () us-cert gov>
Date: Mon, 11 Apr 2011 21:29:52 -0400
Hi snort-devel, Back in the December timeframe, I sent in a patch to relabel '1' and '2' to become 'C' and 'E' in the 'flags', as these bits are now official, per RFC 3168. In the ChangeLog for snort-2.9.0.4, I see this: * src/detection-plugins/sp_tcp_flag_check.c: Changed the reserved bits flags "1, 2" to "C, E". The old values can still be used for backwards compatability. Yet, as of snort-2.9.0.5, if I look in src/detection-plugins/sp_tcp_flag_check.c::ParseTCPFlags(), I see only this: case '1': /* reserved bit flags */ idx->tcp_flags |= R_RES1; break; case '2': /* reserved bit flags */ idx->tcp_flags |= R_RES2; break; The the patch I submitted should have changed that area to consider 'C' and 'E' (while keeping '1' and '2' as well). The manual's TeX code was also not updated. Was this patch missed by accident? It seems one additional bit of the reserved field in the TCP header has a use now as the 'NONCE', or 'N', flag. I see references to it in the Snort source, but uncertain of how well supported it is. Flags does not currently check for this bit. Is this of interest? Might the remaining two reserved bits be worth checking incase they contain invalid bits (kind of like fragbits checking the 'R' or "evil bit")? Also curious, I see references to TCP options, such as SACK, MSS, etc, but there does not appear to be a dedicated rule option to parsing and checking the TCP options field. Has this ever been considered? I know it's a fairly complicated field from looking it up (SACK especially deals with some variable data), so checking this might need multiple new rule options. Cheers!, --J ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Flags keyword still doesn't treat rserved bits as ECE and CWR Joshua.Kinard (Apr 11)
- Re: Flags keyword still doesn't treat rserved bits as ECE and CWR Joel Esler (Apr 11)
- Re: Flags keyword still doesn't treat rserved bits as ECE and CWR Joshua.Kinard (Apr 12)
- Re: Flags keyword still doesn't treat rserved bits as ECE and CWR Joel Esler (Apr 11)