[Snort-sigs] what do the two constants TH_RES2,TH_RES1 mean

Dale L. Handy dhandy at ...1244...
Tue Jul 8 08:19:04 EDT 2003


I believe they stand for "Reserved 1" and "Reserved 2". These are two of
the six reserved bits in the TCP header. They are there for convenience
in working with the TCP flags.


曾 小立 wrote:

> Snort defines some constants like this:
> #define TH_FIN 0x01
> #define TH_SYN 0x02
> #define TH_RST 0x04
> #define TH_PUSH 0x08
> #define TH_ACK 0x10
> #define TH_URG 0x20
> #define *TH_RES2 *0x40
> #define *TH_RES1 *0x80
> Of couse I know the meaning of the first 6 constants , but I have no
> idea of the last 2 ones--TH_RES2 and TH_RES1. I've look them up in
> RFC793, but there're no the last 2 flags in the TCP header , only the
> first 6. Whereas the last 2 appear in the conditional sentences in
> snort very often, for example, in 'spp_stream4.c' , there's a
> conditional sentence like this:
> if(p->tcph->th_flags == (TH_SYN|TH_ACK|*TH_RES2*))
> {
> ssn->client.state = ESTABLISHED;
> return ACTION_SET_SERVER_ISN;
> }
> I'm totally confused. Please tell me and thank you very much in advance.
>
> Daizy
>
> ------------------------------------------------------------------------
> 免费下载 MSN Explorer <http://g.msn.com/8HMHCNCN/2740??PS=>
> ------------------------------------------------------- This SF.Net
> email sponsored by: Free pre-built ASP.NET sites including Data
> Reports, E-commerce, Portals, and Forums are available now. Download
> today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
> _______________________________________________ Snort-sigs mailing
> list Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs 


-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dhandy at ...1244...
   http://www.nitrodata.com






More information about the Snort-sigs mailing list