[Snort-sigs] TCP header reserved bits

Geoffrey Serrao gserrao at ...435...
Tue Jul 28 15:17:04 EDT 2015


whoops, attaching example pcap.

On Tue, Jul 28, 2015 at 3:16 PM, Geoffrey Serrao <gserrao at ...435...>
wrote:

> YM,
>
> I tested the flags option with the attached pcap and you're absolutely
> right that those 3 highest order bits in the flag section can't be tested
> with the 'flags' keyword.
>
> If you're up for writing a shared object rule the tcp flags in their
> entirety are available to you in the TCPHeader structure:
>
> typedef struct _TCPHeader
>  {
>      uint16_t source_port;
>      uint16_t destination_port;
>      uint32_t sequence;
>      uint32_t acknowledgement;
>      uint8_t offset_reserved;
>      uint8_t flags;
>      uint16_t window;
>      uint16_t checksum;
>      uint16_t urgent_pointer;
>  } TCPHeader;
>
>
> You could create a shared object rule that looks at the flags byte and
> alerts if the first three bits are set.
>
> On Tue, Jul 28, 2015 at 2:06 PM, Y M <snort at ...3751...> wrote:
>
>> Thanks Geoffrey.
>>
>> Interesting. My interpretation of the documentation and aligning that
>> with the TCP header, the "E" and "C" flags will check whether the last 2
>> bits of of the higher order bits of byte offset 13, i.e.: CWR and ECE.
>> Precisely, I was attempting to address the match against the first 3 bits
>> of the lower order bits of byte offset 12 excluding the ECN-E/NS bit,
>> similar to what is described in RFC4413, or at least my interpretation of
>> it.
>>
>> I could be completely off here, so please correct if I am wrong.
>>
>> Thanks again!
>> YM
>>
>> ------------------------------
>> Date: Tue, 28 Jul 2015 13:38:29 -0400
>> Subject: Re: [Snort-sigs] TCP header reserved bits
>> From: gserrao at ...435...
>> To: snort at ...3751...
>> CC: snort-sigs at lists.sourceforge.net
>>
>>
>> YM,
>>
>> It looks like you can still use 'flags:2' to check if the low order
>> reserved bits field in a TCP header have been set.
>>
>> 229             case '1': /* reserved bit flags */
>> 230             case 'c':
>> 231             case 'C':
>> 232                 idx->tcp_flags |= R_CWR; /* Congestion Window
>> Reduced, RFC 3168 */
>> 233                 break;
>> 234
>> 235             case '2': /* reserved bit flags */
>> 236             case 'e':
>> 237             case 'E':
>> 238                 idx->tcp_flags |= R_ECE; /* ECN echo, RFC 3168 */
>> 239                 break;
>>
>>
>>
>>
>> From the online snort manual under the 'flags' keyword section:
>>
>> The reserved bits '1' and '2' have been replaced with 'C' and 'E',
>> respectively, to match RFC 3168, "The Addition of Explicit Congestion
>> Notification (ECN) to IP". The old values of '1' and '2' are still valid
>> for the flag keyword, but are now deprecated.
>>
>> On Tue, Jul 28, 2015 at 12:46 PM, Y M <snort at ...3751...> wrote:
>>
>> I was wondering if there is a content modifier or some way to check
>> whether the low order reserved bits of byte offset 12 in the TCP header is
>> set. There is nothing I could find about this in the documentation. I also
>> checked gid:129 rules and couldn't infer that the check/detection is
>> available.
>>
>> Any pointers or help is welcome.
>>
>> Thanks.
>> YM
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150728/85eb5531/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example_res_3_bits.pcap
Type: application/vnd.tcpdump.pcap
Size: 10208 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150728/85eb5531/attachment.pcap>


More information about the Snort-sigs mailing list