[Dshield] tcp options

chupu forum at dshield.org
Tue Jan 24 19:32:12 GMT 2006



I got some funky TCP options today that Snort flagged.  I am not familiar with these options and am hoping someone has seen them.  I am good with the MSS,nop,nop,SACK.  But then I get confused...

4c0a 0101 0a1e 0415 0005

I believe (if I am reading the RFC's correclty), that it is SCPS Capabilities.  Does anyone know if there is an OS that has this set by default or why these flags would be set for web traffic or even if I am even correct in it being SCPS?

20:10:21.161892 IP 10.0.0.1.21933 > 172.16.0.1.80: S 3902478646:3902478646(0) win 16384 
        0x0000:  4500 003c e5ba 0000 6f06 afef 0a00 0001  E..<....o.......
        0x0010:  ac10 0001 55ad 0050 e89b 1936 863d 00fa  ....U..P...6.=..
        0x0020:  a002 4000 2207 0000 0204 0564 0101 0402  .. at ."......d....
        0x0030:  4c0a 0101 0a1e 0415 0005 0100            L...........

22:11:54.372103 IP 10.0.0.1.39016 > 172.16.0.1.80: S 597518684:597518684(0) win
16384 
        0x0000:  4500 003c 10a4 0000 6f06 8506 0a00 0001  E..<....o.......
        0x0010:  ac10 0001 9868 0050 239d 695c f41d ed8f  .....h.P#.i\....
        0x0020:  a002 4000 f9ad 0000 0204 0564 0101 0402  .. at ........d....
        0x0030:  4c0a 0101 0a1e 0415 0005 0100            L...........
This message was sent via the web forum at
http://forum.dshield.org



More information about the list mailing list