[Snort-devel] Problems with snort_decoder (2.01beta Build 77)
jeff at ...835...
Sat May 10 02:24:06 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
You've got to pace yourself, man. You're a machine. :)
I looked through the logs you attached. They're strange to say the least.
Here's my analysis of the first packet (the second is similar):
Here we encounter an option that is invalid in the context of this segment
(RFC 2018: SACK OK is only valid for SYN)
SACK OK (0x04)
SACK OK len (0x02)
Here we encounter a nonexistent TCP option
0x18 (kind=24 ????)
The only reference I've seen to a kind 24 is a paper  mentioning an
alternate TCP implementation called "Secure TCP"
Just to be sure, I scanned all the IETF RFC documents for an option 24
didn't find one.
This sure looks like an anomaly to me.
- --On Friday, May 09, 2003 16:41:21 -0600 Phil Wood <cpw at ...86...> wrote:
> Snort Developer Folks,
> Snort version: Version 2.0.1beta (Build 77)
> Linux: 2.4.20 SMP Fri Mar 7 16:52:12 MST 2003 i686
> I think there is a problem with snort_decoder. It is failing to decode
> packets correctly. See the attached files:
> Don't know the answer, too much to do, too little time. But, from my
> perspective the packet looks correct option/count/length wise.
> Then, again this may be a known problem. I must admit to not being able
> to keep up with the snortiness on the snort-users list.
http://cerberus.sourcefire.com/~jeff (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
-----END PGP SIGNATURE-----
More information about the Snort-devel