Re: TCP header reserved bits

[Y M <snort () outlook com>]

Thank you Geoffrey, appreciate the time you put into testing this. I will try to dig deeper into it.

Thanks again.
YM

Date: Tue, 28 Jul 2015 15:17:04 -0400
Subject: Re: [Snort-sigs] TCP header reserved bits
From: gserrao () sourcefire com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net

whoops, attaching example pcap. 

On Tue, Jul 28, 2015 at 3:16 PM, Geoffrey Serrao <gserrao () sourcefire com> wrote:
YM,

I tested the flags option with the attached pcap and you're absolutely right that those 3 highest order bits in the 
flag section can't be tested with the 'flags' keyword. 

If you're up for writing a shared object rule the tcp flags in their entirety are available to you in the TCPHeader 
structure:

typedef struct _TCPHeader
 {   
     uint16_t source_port;
     uint16_t destination_port;
     uint32_t sequence;
     uint32_t acknowledgement;
     uint8_t offset_reserved;
     uint8_t flags;
     uint16_t window;
     uint16_t checksum;
     uint16_t urgent_pointer;
 } TCPHeader;


You could create a shared object rule that looks at the flags byte and alerts if the first three bits are set. 

On Tue, Jul 28, 2015 at 2:06 PM, Y M <snort () outlook com> wrote:



Thanks Geoffrey.

Interesting. My interpretation of the documentation and aligning that with the TCP header, the "E" and "C" flags will 
check whether the last 2 bits of of the higher order bits of byte offset 13, i.e.: CWR and ECE. Precisely, I was 
attempting to address the match against the first 3 bits of the lower order bits of byte offset 12 excluding the 
ECN-E/NS bit, similar to what is described in RFC4413, or at least my interpretation of it.

I could be completely off here, so please correct if I am wrong.

Thanks again!
YM

Date: Tue, 28 Jul 2015 13:38:29 -0400
Subject: Re: [Snort-sigs] TCP header reserved bits
From: gserrao () sourcefire com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net

YM,

It looks like you can still use 'flags:2' to check if the low order reserved bits field in a TCP header have been set. 

229             case '1': /* reserved bit flags */
230             case 'c':
231             case 'C':
232                 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced, RFC 3168 */
233                 break;
234 
235             case '2': /* reserved bit flags */
236             case 'e':
237             case 'E':
238                 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
239                 break;




> From the online snort manual under the 'flags' keyword section: 

The reserved bits '1' and '2' have been replaced with 'C' and 'E', respectively, 
to match RFC 3168, "The Addition of Explicit Congestion Notification (ECN) to IP".
The old values of '1' and '2' are still valid for the flag keyword, but
are now deprecated.



On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort () outlook com> wrote:



I was wondering if there is a content modifier or some way to check whether the low order reserved bits of byte offset 
12 in the TCP header is set. There is nothing I could find about this in the documentation. I also checked gid:129 
rules and couldn't infer that the check/detection is available.

Any pointers or help is welcome.

Thanks.
YM
                                          

------------------------------------------------------------------------------


_______________________________________________

Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!

                                          



------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!