[Snort-users] (snort_decoder): Truncated Tcp Options

MH procana at ...4296...
Sun Apr 27 05:01:04 EDT 2003

Hi Jason,

What the Truncated TCP options means is that a certain tcp option was set 
in the segment (identified by an option "Kind") but did not use
a corresponding length or reported an incorrect length.
For example if a maximum segment size (MSS) option, kind = 2, is used it is 
followed by the length of that option including that option's data (Length 
= 4) .  This way the stack knows to look at 4 bytes total for this 
particular option to find the option's data.
The packet trace for an MSS of 1460 might look like this  ... 02 04 05 b4 ...

Take a look at your snort dump or a packet trace that tripped this alert 
and look for the offending "Kind" of option that was set.  Next to that you 
will see what it is reporting as the length of the option.  The reported 
length would place the data for that option beyond the allotted space to 
the options within the segment.  Reference the parameters list here: 

Clear as mud right?

You can turn this off within your snort.conf file  by adding the line 
"config disable_tcpopt_alerts"

Hope this helps,
  (  )   ASCII ribbon campaign
   X   against HTML email
/   \

At 04:53 PM 4/26/2003 -0400, Jason Beveridge wrote:
>Hi, I am a newbie. I keep getting a lot of alerts listed as:
>(snort_decoder): Truncated Tcp Options.
>There's no snort ID for them - it seems they are junk. What is this and
>how can I get rid of it? Any info is appreciated.
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list