Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP header reserved bits

From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Tue, 28 Jul 2015 13:38:29 -0400
YM,

It looks like you can still use 'flags:2' to check if the low order
reserved bits field in a TCP header have been set.

229             case '1': /* reserved bit flags */
230             case 'c':
231             case 'C':
232                 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced,
RFC 3168 */
233                 break;
234
235             case '2': /* reserved bit flags */
236             case 'e':
237             case 'E':
238                 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
239                 break;





From the online snort manual under the 'flags' keyword section:


The reserved bits '1' and '2' have been replaced with 'C' and 'E',
respectively, to match RFC 3168, "The Addition of Explicit Congestion
Notification (ECN) to IP". The old values of '1' and '2' are still valid
for the flag keyword, but are now deprecated.

On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort () outlook com> wrote:


I was wondering if there is a content modifier or some way to check
whether the low order reserved bits of byte offset 12 in the TCP header is
set. There is nothing I could find about this in the documentation. I also
checked gid:129 rules and couldn't infer that the check/detection is
available.

Any pointers or help is welcome.

Thanks.
YM


------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: