[Dshield] tcp options

Dave Garn dgarn at crucialsecurity.com
Tue Jan 24 20:16:06 GMT 2006

chupu wrote:
 > I got some funky TCP options today that Snort flagged.  I am not
 > familiar with these options and am hoping someone has seen them.  I
 > am good with the MSS,nop,nop,SACK.  But then I get confused...
 > 4c0a 0101 0a1e 0415 0005
 > I believe (if I am reading the RFC's correclty), that it is SCPS
 > Capabilities.  Does anyone know if there is an OS that has this set
 > by default or why these flags would be set for web traffic or even if
 > I am even correct in it being SCPS?

I'm still learning about TCP Options myself, but the first byte (4c) 
indicates what kind of option (option "76", whatever that is) and the 
second byte (0a) indicates the length of the option is 10 bytes.  A 
length of 10 is consistent with how many bytes appear in your options field.

So if I *am* reading that correctly, you need to figure out what option 
"kind" (or number) 76 is.  I did a little googling and nothing jumped 
out at me though...

Dave Garn
Security Engineer
Crucial Security, Inc.

More information about the list mailing list