|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] (snort_decoder): Truncated Tcp Options
From: MH (procana
insight.rr.com)
Date: Sun Apr 27 2003 - 07:00:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Jason,
What the Truncated TCP options means is that a certain tcp option was set
in the segment (identified by an option "Kind") but did not use
a corresponding length or reported an incorrect length.
For example if a maximum segment size (MSS) option, kind = 2, is used it is
followed by the length of that option including that option's data (Length
= 4) . This way the stack knows to look at 4 bytes total for this
particular option to find the option's data.
The packet trace for an MSS of 1460 might look like this ... 02 04 05 b4 ...
Take a look at your snort dump or a packet trace that tripped this alert
and look for the offending "Kind" of option that was set. Next to that you
will see what it is reporting as the length of the option. The reported
length would place the data for that option beyond the allotted space to
the options within the segment. Reference the parameters list here:
http://www.iana.org/assignments/tcp-parameters
Clear as mud right?
You can turn this off within your snort.conf file by adding the line
"config disable_tcpopt_alerts"
Hope this helps,
Mike
_
( ) ASCII ribbon campaign
X against HTML email
/ \
At 04:53 PM 4/26/2003 -0400, Jason Beveridge wrote:
>Hi, I am a newbie. I keep getting a lot of alerts listed as:
>(snort_decoder): Truncated Tcp Options.
>
>There's no snort ID for them - it seems they are junk. What is this and
>how can I get rid of it? Any info is appreciated.
>
>Jason
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]