[Bro] add detect bad tcp options ?

<rmkml rmkml at wanadoo.fr
Sun Jun 20 02:31:34 PDT 2004


Hi,

I received this packet,

but bro not detect bad tcp options,

possible pb on bro ?

because 'bad tcp cksum' ?

why bro detect OTH ?

because three packet contain Syn set only.


Regards

21:01:18.415654 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum 
48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl 
109, id 12816, len 48)
21:01:21.267525 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum 
48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl 
109, id 13811, len 48)
21:01:27.327379 219.159.210.66.4763 > 2.3.4.1.1025: S [bad tcp cksum 
48e0!] 3183998805:3183998805(0) win 16384 <mss 144,[bad opt]> (DF) (ttl 
109, id 15717, len 48)

bro1.log:1087585278.415652 ? 219.159.210.66 2.3.4.1 other 4763 1025 
tcp ? ? OTH X
bro1.log:1087585281.267523 ? 219.159.210.66 2.3.4.1 other 4763 1025 
tcp ? ? OTH X
bro1.log:1087585287.327377 ? 219.159.210.66 2.3.4.1 other 4763 1025 
tcp ? ? OTH X
weird.log:1087585278.415652 219.159.210.66/4763 > 2.3.4.1/1025: 
bad_TCP_checksum
weird.log:1087585281.267523 219.159.210.66/4763 > 2.3.4.1/1025: 
active_connection_reuse
weird.log:1087585281.267523 219.159.210.66/4763 > 2.3.4.1/1025: 
bad_TCP_checksum
weird.log:1087585287.327377 219.159.210.66/4763 > 2.3.4.1/1025: 
active_connection_reuse
weird.log:1087585287.327377 219.159.210.66/4763 > 2.3.4.1/1025: 
bad_TCP_checksum


PS: snort/prelude/firestorm not event this packet !



More information about the Bro mailing list