Snort TCP flags

0 投票
最新提问 用户: (120 分)

As you know TCP has 9 flags. But as you see TCP flags of snort is 8 bits defined in sf_snort_packet.h file:

typedef struct _TCPHeader
    uint8_t flags;
} TCPHeader;

also predefinded flags are 9 bits as must be:

#define TCPHEADER_FIN  0x01
#define TCPHEADER_SYN  0x02

Now I am confused if I want to check TCP_SYN flag; how to do that. I have used this but it doesn't return correct answer:

if (packet->tcp_header->flags & TCPHEADER_SYN){

Can anybody guide me about this issue? Thank you.


0 投票
最新回答 用户: (180 分)

The NS (ECN-nonce concealment protection (experimental: see RFC 3540)) flag in tcp is still "experimental" and there is no flag for this in snort, so 8 bits is all that is needed to store the 8 other flags. That being said, I'm not entirely sure what you are doing here. Are you writing custom code within snort and recompiling? If so you may need to provide more details/code.

Your logic is correct. The comparison you have should return 1 (true) if packet->tcp_header->flags has the second bit set. If this is your custom code you need to debug and dump the value of packet->tcp_header->flags to see what it is. In the snort source this is usually referred to with p->tcp_header->flags so if you are in that same scope and using the same variable for the packet you would need to change "packet" to "p", but again you may need to provide more code if it's custom.

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。