[Snort-users] TCP reserved flags: which is it?

John Sage jsage at ...2022...
Wed Jul 17 23:39:02 EDT 2002


Received some tcp:25 packets with the reserved flag bits set.

snort 1.8.7 reports:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/17-20:11:24.884824 209.167.90.34:47060 -> 12.82.129.7:25
TCP TTL:47 TOS:0x0 ID:26375 IpLen:20 DgmLen:60 DF

12****S* Seq: 0x7D870B18  Ack: 0x0  Win: 0x16D0  TcpLen: 40

TCP Options (5) => MSS: 1380 SackOK TS: 303867600 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


while ACID reports the same packet as:

------------------------------------------------------------------------------
#(267 - 8) [2002-07-17 20:11:24]  TCP to 25 smtp
IPv4: 209.167.90.34 -> 12.82.129.7
      hlen=5 TOS=0 dlen=60 ID=26375 flags=0 offset=0 TTL=47 chksum=11154

TCP:  port=47060 -> dport: 25  flags=21****S* seq=2106002200

      ack=0 off=10 res=0 win=5840 urp=0 chksum=32298
      Options:
       #1 - MSS len=4 data=0564
       #2 - SACKOK len=0
       #3 - TS len=10 data=121CA6D000000000
       #4 - NOP len=0
       #5 - WS len=3 data=00
Payload: none
------------------------------------------------------------------------------

Note that snort has the flags as 1 - 2 while ACID has them as 2 - 1


Which is it?

I'd tend to believe snort...


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the Snort-users mailing list