[Snort-users] (snort_decoder): Truncated Tcp Options
procana at ...4296...
Sun Apr 27 05:01:04 EDT 2003
What the Truncated TCP options means is that a certain tcp option was set
in the segment (identified by an option "Kind") but did not use
a corresponding length or reported an incorrect length.
For example if a maximum segment size (MSS) option, kind = 2, is used it is
followed by the length of that option including that option's data (Length
= 4) . This way the stack knows to look at 4 bytes total for this
particular option to find the option's data.
The packet trace for an MSS of 1460 might look like this ... 02 04 05 b4 ...
Take a look at your snort dump or a packet trace that tripped this alert
and look for the offending "Kind" of option that was set. Next to that you
will see what it is reporting as the length of the option. The reported
length would place the data for that option beyond the allotted space to
the options within the segment. Reference the parameters list here:
Clear as mud right?
You can turn this off within your snort.conf file by adding the line
Hope this helps,
( ) ASCII ribbon campaign
X against HTML email
At 04:53 PM 4/26/2003 -0400, Jason Beveridge wrote:
>Hi, I am a newbie. I keep getting a lot of alerts listed as:
>(snort_decoder): Truncated Tcp Options.
>There's no snort ID for them - it seems they are junk. What is this and
>how can I get rid of it? Any info is appreciated.
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users