[Snort-users] Questions about TCP Options
pauls at ...6838...
Fri Mar 18 11:02:36 EST 2005
I have some questions about three alerts. All three are generated by
Truncated TCP Options
Experimental TCP Options
Stealth Activity Detected
In all three cases, viewing the data in BASE, the options fields are "None"
for both IP and TCP. In all three cases there is no payload.
What exactly is snort detecting that sets off these alerts?
Here's an example of one raw packet:
03/17-23:00:01.914868 220.127.116.11:46597 -> 18.104.22.168:22
TCP TTL:63 TOS:0x0 ID:41027 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0x5F5AF2EC Ack: 0xFD988884 Win: 0x7D4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 20862021 1159970956
00 00 00 0C 0A 15 00 00 00 00 00 00 00 00 00 00 ................
This shows the options as NOP, NOP, TS.
I know what the available options are -
But I don't know what "truncated" options are. There's two octets set
aside for options. Does "truncated" mean the kind octet is set but the
length octet is not? Or vice versa? (And how the heck did Skeeter and
Bubba get in there anyway?)
What does "Experimental" options mean? Is that referring to SACK? Why are
Let the packet monkeys speak. :-)
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users