[Snort-devel] [PATCH]: Add Nonce Sum bit to 'flags'

Todd Wease twease at ...402...
Mon Jan 28 09:48:32 EST 2013


On Sat, Jan 26, 2013 at 4:59 AM, Joshua Kinard <kumba at ...2185...> wrote:

>
> Hi snort-devel,
>
> The attached patch adds support for reading the 'Nonce Sum' bit of the TCP
> Flags byte, as defined in RFC 3540.  The order of the 'C' and 'E' bit case
> statements are moved around to put them into logical (LSB) order
> (FSRPAUECN).  It also fixes the TCPHEADER_NORESERVED macro in
> src/dynamic-plugins/sf_engine/sf_snort_packet.h, which was missing the
> ECE/CWR bits, and adds TCPHEADER_NS to it as well.  The TeX for the manual
> is also updated.
>
>  doc/snort_manual.tex                            |    7 ++--
>  src/detection-plugins/sp_tcp_flag_check.c       |   35
> +++++++++++++++---------
>  src/dynamic-plugins/sf_engine/sf_snort_packet.h |    4 ++
>  src/rules.h                                     |    1
>  4 files changed, 31 insertions(+), 16 deletions(-)
>
>
> Cheers!,
>
> --
> Joshua Kinard
> Gentoo/MIPS
> kumba at ...2185...
> 4096R/D25D95E3 2011-03-28
>
> "The past tempts us, the present confuses us, the future frightens us.  And
> our lives slip away, moment by moment, lost in that vast, terrible
> in-between."
>
> --Emperor Turhan, Centauri Republic


Thanks for the patch Joshua.  We've created a feature bug to get this into
Snort.

Todd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130128/7acb61a9/attachment.html>


More information about the Snort-devel mailing list