Snortdb-Extra TCP_Flags Backward
This is a discussion on Snortdb-Extra TCP_Flags Backward within the Snort forums, part of the System Security and Security Related category; Hello, Apologies if I missed this elsewhere, but the Snortdb-Extra tcp_flag lookup tables seem to be backward -- at least ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-26-2003
|
|||
|
|||
Snortdb-Extra TCP_Flags Backward
Hello,
Apologies if I missed this elsewhere, but the Snortdb-Extra tcp_flag lookup tables seem to be backward -- at least for traffic sniffed on this machine. Specifically, the base10 tcp_flag numbers are correct, but the descriptions associated with them only match when the flag bits are read *backwards*. An example: Assume a SYN/ACK pkt with the flags set as follows: RS1 RS2 | CWR | ECN | URG | ACK | PSH | RST | SYN | FIN | |-----+-----+-----+-----+-----+-----+-----+-----| | 0 | 0 | 0 | 1 | 0 | 0 | 1 | 0 | The basic "tcp_flags" column in the "tcphdr" table correctly labels this as "18". (The right-most bit is the least significant one). However, the "flags" lookup table included in Snortdb-Extra matches "18" to the following description: "PSH: Standard/Invalid (reserved bit 2 active)" see below: > SELECT number, description FROM flags WHERE number = 18; +--------+-----------------------------------------------+ | number | description | +--------+-----------------------------------------------+ | 18 | PSH: Standard/Invalid (reserved bit 2 active) | +--------+-----------------------------------------------+ 1 row in set (0.00 sec) It *should* be a syn/ack! The flag bits are set backwards in the lookup table: > SELECT * FROM flags WHERE number = 18; *************************** 1. row *************************** number: 18 RES1: 0 RES2: 1 URG: 0 ACK: 0 PSH: 1 RST: 0 SYN: 0 FIN: 0 valid: 0 description: PSH: Standard/Invalid (reserved bit 2 active) 1 row in set (0.00 sec) similarly: if number = 02 [SYN], lookup table claims it's a "NULL Packet (reserved bit 2 active) " if number = 16 [ACK], lookup table claims it's a "PSH: Standard/Invalid" etc... So for proper lookup using the existing table, one must convert "number" to base2, read it backwards, and then do the lookup: Example for a syn/ack pkt: (number = 18) Convert 18 to base2: 00010010, re-write backwards: 01001000, convert to base10: 72, do the lookup: SELECT number, description FROM flags WHERE number = 72; and we get: +--------+----------------------------------+ | number | description | +--------+----------------------------------+ | 72 | ACK|SYN: Acknowlege a SYN packet | +--------+----------------------------------+ This is the correct description. This stuff may be a consequence of network byte ordering on the hardware used by these contributors, or some such thing, I'm gonna invert everything without much more thought unless I (sheepishly) read someone's post about how I misunderstood this scheme. If a corrected snortdb-extra is availaible, please post a link. Thanks in advance, -g. 
|
Linear Mode
