[Snort-sigs] TCP header reserved bits

Geoffrey Serrao gserrao at ...435...
Tue Jul 28 15:16:33 EDT 2015


YM,

I tested the flags option with the attached pcap and you're absolutely
right that those 3 highest order bits in the flag section can't be tested
with the 'flags' keyword.

If you're up for writing a shared object rule the tcp flags in their
entirety are available to you in the TCPHeader structure:

typedef struct _TCPHeader
 {
     uint16_t source_port;
     uint16_t destination_port;
     uint32_t sequence;
     uint32_t acknowledgement;
     uint8_t offset_reserved;
     uint8_t flags;
     uint16_t window;
     uint16_t checksum;
     uint16_t urgent_pointer;
 } TCPHeader;


You could create a shared object rule that looks at the flags byte and
alerts if the first three bits are set.

On Tue, Jul 28, 2015 at 2:06 PM, Y M <snort at ...3751...> wrote:

> Thanks Geoffrey.
>
> Interesting. My interpretation of the documentation and aligning that with
> the TCP header, the "E" and "C" flags will check whether the last 2 bits of
> of the higher order bits of byte offset 13, i.e.: CWR and ECE. Precisely, I
> was attempting to address the match against the first 3 bits of the lower
> order bits of byte offset 12 excluding the ECN-E/NS bit, similar to what is
> described in RFC4413, or at least my interpretation of it.
>
> I could be completely off here, so please correct if I am wrong.
>
> Thanks again!
> YM
>
> ------------------------------
> Date: Tue, 28 Jul 2015 13:38:29 -0400
> Subject: Re: [Snort-sigs] TCP header reserved bits
> From: gserrao at ...435...
> To: snort at ...3751...
> CC: snort-sigs at lists.sourceforge.net
>
>
> YM,
>
> It looks like you can still use 'flags:2' to check if the low order
> reserved bits field in a TCP header have been set.
>
> 229             case '1': /* reserved bit flags */
> 230             case 'c':
> 231             case 'C':
> 232                 idx->tcp_flags |= R_CWR; /* Congestion Window Reduced,
> RFC 3168 */
> 233                 break;
> 234
> 235             case '2': /* reserved bit flags */
> 236             case 'e':
> 237             case 'E':
> 238                 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
> 239                 break;
>
>
>
>
> From the online snort manual under the 'flags' keyword section:
>
> The reserved bits '1' and '2' have been replaced with 'C' and 'E',
> respectively, to match RFC 3168, "The Addition of Explicit Congestion
> Notification (ECN) to IP". The old values of '1' and '2' are still valid
> for the flag keyword, but are now deprecated.
>
> On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort at ...3751...> wrote:
>
> I was wondering if there is a content modifier or some way to check
> whether the low order reserved bits of byte offset 12 in the TCP header is
> set. There is nothing I could find about this in the documentation. I also
> checked gid:129 rules and couldn't infer that the check/detection is
> available.
>
> Any pointers or help is welcome.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150728/ab5f2f1b/attachment.html>


More information about the Snort-sigs mailing list