[Snort-users] Questions about TCP Options

I have some questions about three alerts. All three are generated by
preprocessors:

Truncated TCP Options
Experimental TCP Options
Stealth Activity Detected

In all three cases, viewing the data in BASE, the options fields are "None"
for both IP and TCP. In all three cases there is no payload.

What exactly is snort detecting that sets off these alerts?

Here's an example of one raw packet:

03/17-23:00:01.914868 129.110.95.215:46597 -> 67.123.84.30:22
TCP TTL:63 TOS:0x0 ID:41027 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0x5F5AF2EC Ack: 0xFD988884 Win: 0x7D4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 20862021 1159970956
00 00 00 0C 0A 15 00 00 00 00 00 00 00 00 00 00 ................

This shows the options as NOP, NOP, TS.

I know what the available options are -
<http://www.iana.org/assignments/tcp-parameters>

But I don't know what "truncated" options are. There's two octets set
aside for options. Does "truncated" mean the kind octet is set but the
length octet is not? Or vice versa? (And how the heck did Skeeter and
Bubba get in there anyway?)

What does "Experimental" options mean? Is that referring to SACK? Why are
they noteworthy?

Let the packet monkeys speak. :-)

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users