[Snort-users] Questions about TCP Options

Paul Schmehl pauls at ...6838...
Fri Mar 18 11:02:36 EST 2005

I have some questions about three alerts.  All three are generated by 

Truncated TCP Options
Experimental TCP Options
Stealth Activity Detected

In all three cases, viewing the data in BASE, the options fields are "None" 
for both IP and TCP.  In all three cases there is no payload.

What exactly is snort detecting that sets off these alerts?

Here's an example of one raw packet:

03/17-23:00:01.914868 ->
TCP TTL:63 TOS:0x0 ID:41027 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0x5F5AF2EC  Ack: 0xFD988884  Win: 0x7D4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 20862021 1159970956
00 00 00 0C 0A 15 00 00 00 00 00 00 00 00 00 00  ................

This shows the options as NOP, NOP, TS.

I know what the available options are - 

But I don't know what "truncated" options are.  There's two octets set 
aside for options.  Does "truncated" mean the kind octet is set but the 
length octet is not?  Or vice versa?  (And how the heck did Skeeter and 
Bubba get in there anyway?)

What does "Experimental" options mean?  Is that referring to SACK?  Why are 
they noteworthy?

Let the packet monkeys speak.  :-)

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list