Snort mailing list archives
TCP-Flags are wrong in Preprocessor
From: Matthias Wübbeling <matthias.wuebbeling () cs uni-bonn de>
Date: Wed, 21 Jun 2017 21:36:35 +0200
Hi all, I am working on a preprocessor that evaluates TCP flags. I experience some strange values for the flags provided in (SFSnortPacket*) pkt->tcp_header->flags. I am using snort-2.9.9.0 and for the tests, I used the following pcap: http://panda.gtisc.gatech.edu/malrec/pcap/ca59a9cd-3b81-4763-95c6-42292cf42798.pcap The preprocessor evaluates the flags in the following way: if( p->tcp_header->flags & TCPHEADER_CWR ){ _dpd.logMsg(" CWR"); } if( p->tcp_header->flags & TCPHEADER_ECE ){ _dpd.logMsg(" ECE"); } if( p->tcp_header->flags & TCPHEADER_URG ){ _dpd.logMsg(" URG"); } if( p->tcp_header->flags & TCPHEADER_ACK ){ _dpd.logMsg(" ACK"); } if( p->tcp_header->flags & TCPHEADER_PUSH ){ _dpd.logMsg(" PSH"); } if( p->tcp_header->flags & TCPHEADER_RST ){ _dpd.logMsg(" RST"); } if( p->tcp_header->flags & TCPHEADER_SYN ){ _dpd.logMsg(" SYN"); } if( p->tcp_header->flags & TCPHEADER_FIN ){ _dpd.logMsg(" FIN"); } Using the above pcap, the output for the first TCP packet is: ACK PSH Examining the first TCP packet in wireshark shows the flags as follows: 0x002 (SYN) Same problem with the checksum value, which is 0xb3d4 in the PP and 0x415d in wireshark. What am I missing? Can anyone help me? Kind regards - Matthias
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TCP-Flags are wrong in Preprocessor Matthias Wübbeling (Jun 21)
- Re: TCP-Flags are wrong in Preprocessor Victor Roemer via Snort-devel (Jun 22)
- Re: TCP-Flags are wrong in Preprocessor Matthias Wübbeling (Jun 22)
- Re: TCP-Flags are wrong in Preprocessor Victor Roemer via Snort-devel (Jun 22)