[Snort-users] Checksum Computation

Novak, Judy H. Judy.Novak at ...383...
Tue Aug 29 07:19:48 EDT 2000


Just subscribed to the list and I'm not sure if this has been discussed
before.  I see  stealth scan detects by the portscan that have a signature
of multiple mutant TCP flags set.  These appear strange enough that I wonder
if there is some kind of packet corruption at the transport layer.  It looks
like there is a new tool that deliberately sends strange packets (bubonic),
but I'm wondering if some kind of validation can be made in the portscan
code to see if the TCP checksum has been corrupted.  

If the computed TCP checksum by the portscan code and the packet TCP
checksum don't match - then perhaps the record could be printed out with TCP
checksum mismatch or some label that indicates that the TCP portion of the
packet has been corrupted.  This will help distinguish the corrupted from
malicious packets.  I realize that there can still be corruption and the
checksum will still match given a swap of 16-bit fields, but I think it
would be helpful to have this check.

Thanks - Judy Novak






More information about the Snort-users mailing list