[Snort-sigs] TCP header reserved bits

Geoffrey Serrao gserrao at ...435...
Tue Jul 28 13:38:29 EDT 2015


YM,

It looks like you can still use 'flags:2' to check if the low order
reserved bits field in a TCP header have been set.

229             case '1': /* reserved bit flags */
230             case 'c':
231             case 'C':
232                 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced,
RFC 3168 */
233                 break;
234
235             case '2': /* reserved bit flags */
236             case 'e':
237             case 'E':
238                 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
239                 break;




>From the online snort manual under the 'flags' keyword section:

The reserved bits '1' and '2' have been replaced with 'C' and 'E',
respectively, to match RFC 3168, "The Addition of Explicit Congestion
Notification (ECN) to IP". The old values of '1' and '2' are still valid
for the flag keyword, but are now deprecated.

On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort at ...3751...> wrote:

> I was wondering if there is a content modifier or some way to check
> whether the low order reserved bits of byte offset 12 in the TCP header is
> set. There is nothing I could find about this in the documentation. I also
> checked gid:129 rules and couldn't infer that the check/detection is
> available.
>
> Any pointers or help is welcome.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150728/da42ba79/attachment.html>


More information about the Snort-sigs mailing list