Questions about TCP Options

[Paul Schmehl <pauls () utdallas edu>]

I have some questions about three alerts.  All three are generated by 
preprocessors:

Truncated TCP Options
Experimental TCP Options
Stealth Activity Detected

In all three cases, viewing the data in BASE, the options fields are "None" 
for both IP and TCP.  In all three cases there is no payload.

What exactly is snort detecting that sets off these alerts?

Here's an example of one raw packet:

03/17-23:00:01.914868 129.110.95.215:46597 -> 67.123.84.30:22
TCP TTL:63 TOS:0x0 ID:41027 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0x5F5AF2EC  Ack: 0xFD988884  Win: 0x7D4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 20862021 1159970956
00 00 00 0C 0A 15 00 00 00 00 00 00 00 00 00 00  ................

This shows the options as NOP, NOP, TS.

I know what the available options are - 
<http://www.iana.org/assignments/tcp-parameters>

But I don't know what "truncated" options are.  There's two octets set 
aside for options.  Does "truncated" mean the kind octet is set but the 
length octet is not?  Or vice versa?  (And how the heck did Skeeter and 
Bubba get in there anyway?)

What does "Experimental" options mean?  Is that referring to SACK?  Why are 
they noteworthy?

Let the packet monkeys speak.  :-)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users