Snort mailing list archives

Previous By Date Next
Previous By Thread Next

TCP-Flags are wrong in Preprocessor

From: Matthias Wübbeling <matthias.wuebbeling () cs uni-bonn de>
Date: Wed, 21 Jun 2017 21:36:35 +0200
Hi all,

I am working on a preprocessor that evaluates TCP flags. I experience
some strange values for the flags provided in (SFSnortPacket*)
pkt->tcp_header->flags.

I am using snort-2.9.9.0 and for the tests, I used the following pcap:
http://panda.gtisc.gatech.edu/malrec/pcap/ca59a9cd-3b81-4763-95c6-42292cf42798.pcap

The preprocessor evaluates the flags in the following way:

  if( p->tcp_header->flags & TCPHEADER_CWR ){
    _dpd.logMsg(" CWR");
  }
  if( p->tcp_header->flags & TCPHEADER_ECE ){
    _dpd.logMsg(" ECE");
  }
  if( p->tcp_header->flags & TCPHEADER_URG ){
    _dpd.logMsg(" URG");
  }
  if( p->tcp_header->flags & TCPHEADER_ACK ){
    _dpd.logMsg(" ACK");
  }
  if( p->tcp_header->flags & TCPHEADER_PUSH ){
    _dpd.logMsg(" PSH");
  }
  if( p->tcp_header->flags & TCPHEADER_RST ){
    _dpd.logMsg(" RST");
  }
  if( p->tcp_header->flags & TCPHEADER_SYN ){
    _dpd.logMsg(" SYN");
  }
  if( p->tcp_header->flags & TCPHEADER_FIN ){
    _dpd.logMsg(" FIN");
  }

Using the above pcap, the output for the first TCP packet is:

ACK PSH

Examining the first TCP packet in wireshark shows the flags as follows:

0x002 (SYN)


Same problem with the checksum value, which is 0xb3d4 in the PP and
0x415d in wireshark.


What am I missing? Can anyone help me?

Kind regards
- Matthias

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: