Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP-Flags are wrong in Preprocessor

From: Victor Roemer via Snort-devel <snort-devel () lists snort org>
Date: Thu, 22 Jun 2017 07:48:30 -0400
In your call to |_dpd.addPreproc|, try using |PRIORITY_NETWORK|.

On 6/21/17 3:36 PM, Matthias Wübbeling wrote:


Hi all,

I am working on a preprocessor that evaluates TCP flags. I experience
some strange values for the flags provided in (SFSnortPacket*)
pkt->tcp_header->flags.

I am using snort-2.9.9.0 and for the tests, I used the following pcap:
http://panda.gtisc.gatech.edu/malrec/pcap/ca59a9cd-3b81-4763-95c6-42292cf42798.pcap

The preprocessor evaluates the flags in the following way:

   if( p->tcp_header->flags & TCPHEADER_CWR ){
     _dpd.logMsg(" CWR");
   }
   if( p->tcp_header->flags & TCPHEADER_ECE ){
     _dpd.logMsg(" ECE");
   }
   if( p->tcp_header->flags & TCPHEADER_URG ){
     _dpd.logMsg(" URG");
   }
   if( p->tcp_header->flags & TCPHEADER_ACK ){
     _dpd.logMsg(" ACK");
   }
   if( p->tcp_header->flags & TCPHEADER_PUSH ){
     _dpd.logMsg(" PSH");
   }
   if( p->tcp_header->flags & TCPHEADER_RST ){
     _dpd.logMsg(" RST");
   }
   if( p->tcp_header->flags & TCPHEADER_SYN ){
     _dpd.logMsg(" SYN");
   }
   if( p->tcp_header->flags & TCPHEADER_FIN ){
     _dpd.logMsg(" FIN");
   }

Using the above pcap, the output for the first TCP packet is:

ACK PSH

Examining the first TCP packet in wireshark shows the flags as follows:

0x002 (SYN)


Same problem with the checksum value, which is 0xb3d4 in the PP and
0x415d in wireshark.


What am I missing? Can anyone help me?

Kind regards
- Matthias



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: