[Bro] add detect bad tcp options ?
Vern Paxson
vern at icir.org
Sun Jun 27 16:21:49 PDT 2004
> I received this packet,
> but bro not detect bad tcp options,
> possible pb on bro ?
> because 'bad tcp cksum' ?
If the TCP checksum is bad, then the packet is ill-formed. It does not
make sense in that case to complain about a bad option, since the packet
cannot be processed in any case.
> why bro detect OTH ?
Because the connection is not in a well-defined state. Bro does *not*
consider it to have corresponded to a SYN being sent, because the packet
carrying the SYN was ill-formed. For all it can tell, part of the damage
to the packet might have been to the control flags, and the SYN setting
is bogus.
Vern
More information about the Bro
mailing list