[Snort-sigs] what do the two constants TH_RES2,TH_RES1 mean

Chris Green cmg at ...435...
Tue Jul 8 13:16:05 EDT 2003


"Ôø СÁ¢" <e_zxl at ...12...> writes:

>    Snort defines some constants like this:
>    #define TH_FIN  0x01
>    #define TH_SYN  0x02
>    #define TH_RST  0x04
>    #define TH_PUSH 0x08
>    #define TH_ACK  0x10
>    #define TH_URG  0x20
>    #define TH_RES2 0x40
>    #define TH_RES1 0x80
>    Of couse I know the meaning of the first 6 constants , but I have no idea of  the last 2
> ones--TH_RES2 and TH_RES1. I've look them up in  RFC793, but there're no the last 2 flags in
> the TCP header , only the first 6. 

Back in the 80s, they were reserved for future use.  When trying to
find these values, look for things that supplement and refer to RFC793
:)

> Whereas the last 2 appear in the conditional sentences in snort very
> often, for example, in 'spp_stream4.c' , there's a conditional
> sentence like this: 

Read

 http://www.securityfocus.com/infocus/1205

For the modern meaning of those bits
-- 
Chris Green <cmg at ...435...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-sigs mailing list