[Snort-devel] Problems with snort_decoder (2.01beta Build 77)

Jeff Nathan jeff at ...835...
Sat May 10 02:24:06 EDT 2003

Hash: SHA1

Hi Phil,

You've got to pace yourself, man.  You're a machine. :)

I looked through the logs you attached.  They're strange to say the least. 
Here's my analysis of the first packet (the second is similar):

NOP (0x01)
NOP (0x01)
Here we encounter an option that is invalid in the context of this segment 
(RFC 2018: SACK OK is only valid for SYN)
SACK OK (0x04)
SACK OK len (0x02)
Here we encounter a nonexistent TCP option
0x18 (kind=24 ????)

The only reference I've seen to a kind 24 is a paper [1] mentioning an 
alternate TCP implementation called "Secure TCP"

Just to be sure, I scanned all the IETF RFC documents for an option 24 
didn't find one.


- -Jeff

[1] http://www.isoc.org/HMP/PAPER/144/html/node1.html

This sure looks like an anomaly to me.

- --On Friday, May 09, 2003 16:41:21 -0600 Phil Wood <cpw at ...86...> wrote:

> Snort Developer Folks,
> Snort version: Version 2.0.1beta (Build 77)
> Linux: 2.4.20 SMP Fri Mar 7 16:52:12 MST 2003 i686
> I think there is a problem with snort_decoder.  It is failing to decode
> packets correctly.  See the attached files:
>   bogus.alert
>   bogus.pcap
>   bogus.decoded
> Don't know the answer, too much to do, too little time.  But, from my
> perspective the packet looks correct option/count/length wise.
> Then, again this may be a known problem.  I must admit to not being able
> to keep up with the snortiness on the snort-users list.
> Thanks,
> Phil

- --
http://cerberus.sourcefire.com/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
Version: GnuPG v1.0.7 (OpenBSD)


More information about the Snort-devel mailing list