[Snort-users] TCP reserved flags: which is it?

Chris Keladis Chris.Keladis at ...6400...
Sun Jul 21 16:53:02 EDT 2002


Hi John,

The flags represent the same.

It just seems like ACID prints them out in a different order.

You still have reserved flags 1 and 2 set, regardless if you read them 
as 2 and 1.




Regards,

Chris.


John Sage wrote:

> Received some tcp:25 packets with the reserved flag bits set.
> 
> snort 1.8.7 reports:
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 07/17-20:11:24.884824 209.167.90.34:47060 -> 12.82.129.7:25
> TCP TTL:47 TOS:0x0 ID:26375 IpLen:20 DgmLen:60 DF
> 
> 12****S* Seq: 0x7D870B18  Ack: 0x0  Win: 0x16D0  TcpLen: 40
> 
> TCP Options (5) => MSS: 1380 SackOK TS: 303867600 0 NOP WS: 0 
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 
> while ACID reports the same packet as:
> 
> ------------------------------------------------------------------------------
> #(267 - 8) [2002-07-17 20:11:24]  TCP to 25 smtp
> IPv4: 209.167.90.34 -> 12.82.129.7
>       hlen=5 TOS=0 dlen=60 ID=26375 flags=0 offset=0 TTL=47 chksum=11154
> 
> TCP:  port=47060 -> dport: 25  flags=21****S* seq=2106002200
> 
>       ack=0 off=10 res=0 win=5840 urp=0 chksum=32298
>       Options:
>        #1 - MSS len=4 data=0564
>        #2 - SACKOK len=0
>        #3 - TS len=10 data=121CA6D000000000
>        #4 - NOP len=0
>        #5 - WS len=3 data=00
> Payload: none
> ------------------------------------------------------------------------------
> 
> Note that snort has the flags as 1 - 2 while ACID has them as 2 - 1
> 
> 
> Which is it?
> 
> I'd tend to believe snort...
> 
> 
> - John







More information about the Snort-users mailing list