[prev in list] [next in list] [prev in thread] [next in thread]
List: dshield
Subject: Re: [Dshield] Valid TCP Flags?
From: Chris Brenton <cbrenton () chrisbrenton ! org>
Date: 2006-05-31 16:22:35
Message-ID: 1149092556.9728.264.camel () siren ! chrisbrenton ! org
[Download RAW message or body]
On Wed, 2006-05-31 at 09:21 -0400, Jon R. Kibler wrote:
>
> I have been trying to put together a list of all possible valid combinations of \
> IPv4 TCP flags. From the RFCs, I gather that the list should be:
> SYN
> SYN-ACK
> ACK
> PSH-ACK
> URG-ACK
> URG-PSH-ACK
> FIN
> FIN-ACK
> RST
> RST-ACK
I've also see FIN-ACK-PSH in the wild and even (eek) SYN-PSH.
> Two questions:
> 1) Can RST and/or FIN ever appear alone, without an ACK?
Send an unsolicited ACK to an open or closed port and you will get back
a plain RST. A FIN will *never* appear by itself which is why Cisco's
"established" keyword filters on ACK and/or RST packets. Only FIN/ACK is
valid.
> 2) Are there other valid combinations that I have missed? If so, under what \
> circumstances would you see that combination?
As mentioned I've seen pretty liberal use of the PSH bit.
HTH,
Chris
_________________________________________
SANSFIRE 2006 - Meet ISC Handlers in Person -
Learn about the latest in Information Security from the best instructors in the \
world.
http://www.sans.org/sansfire006
Internet Storm Center Webcasts: http://www.sans.org/webcasts . Every Wednesday after \
patch-tuesday. _______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: \
http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic