[Bro] add detect bad tcp options ?
<rmkml
rmkml at wanadoo.fr
Sun Jun 20 02:31:34 PDT 2004
Hi,
I received this packet,
but bro not detect bad tcp options,
possible pb on bro ?
because 'bad tcp cksum' ?
why bro detect OTH ?
because three packet contain Syn set only.
Regards
21:01:18.415654 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum
48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl
109, id 12816, len 48)
21:01:21.267525 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum
48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl
109, id 13811, len 48)
21:01:27.327379 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum
48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl
109, id 15717, len 48)
bro1.log:1087585278.415652 ? 219.159.210.66 2.3.4.1 other 4763 1025
tcp ? ? OTH X
bro1.log:1087585281.267523 ? 219.159.210.66 2.3.4.1 other 4763 1025
tcp ? ? OTH X
bro1.log:1087585287.327377 ? 219.159.210.66 2.3.4.1 other 4763 1025
tcp ? ? OTH X
weird.log:1087585278.415652 219.159.210.66/4763 > 2.3.4.1/1025:
bad_TCP_checksum
weird.log:1087585281.267523 219.159.210.66/4763 > 2.3.4.1/1025:
active_connection_reuse
weird.log:1087585281.267523 219.159.210.66/4763 > 2.3.4.1/1025:
bad_TCP_checksum
weird.log:1087585287.327377 219.159.210.66/4763 > 2.3.4.1/1025:
active_connection_reuse
weird.log:1087585287.327377 219.159.210.66/4763 > 2.3.4.1/1025:
bad_TCP_checksum
PS: snort/prelude/firestorm not event this packet !
More information about the Bro
mailing list