[Snort-sigs] Invalid TCP packet, header length<20 bytes

Chris Reining creining at ...1973...
Wed Jul 14 20:05:15 EDT 2004


> I am trying to create a rule that will detect TCP
> packets with header less than 20 bytes, that is
> HLEN<5.

Detection of that is already done, not as part of rules but as part of
the ethernet decoding of packets (decode.c). A warning will be generated
that states the TCP data offset is less than 5. If you haven't turned
off generic decode events (disable_decode_alerts) then you should be
seeing those warnings. For a rule, I can't think of a decent way to test
that the TCP header is at least 20 bytes...

Later
Chris

> alert ip $EXTERNAL_NET any -> $HOME_NET any
> (msg:"Invalid TCP packet, header length<20 bytes";
> byte_test: 1, <, 80, 12, string, dec; ip_proto:tcp;
> reference: url,
> http.www.ibiblio.org/pub/docs/rfc/rfc793.txt;
> classtype:bad-unknown; sid:10067; rev:1;)

> alert ip $EXTERNAL_NET any -> $HOME_NET any
> (msg:"Invalid TCP packet, header length<20 bytes 2";
> dsize:<20; ip_proto:tcp; reference: url, 
> http.www.ibiblio.org/pub/docs/rfc/rfc793.txt;
> classtype:bad-unknown; sid:10067; rev:1;)

> I create a packet with HLEN=4 for the tests.
> The first rule never fires and the second creates
> plenty of false positives.




More information about the Snort-sigs mailing list