page TCP Filter name CHECK_RESERVED_TCP_FLAGS text ############################################################################ text # CHECK_RESERVED_TCP_FLAGS text ############################################################################ text # The TCP header contains 6 reserved bits which should be let to 0 in text # normal packets. NMAP, QUESO and hping are known to set some of these text # bits to 1. But ECN (rfc 2481) uses these bits for legitimate purpose. text # text # If CHECK_RESERVED_TCP_FLAGS = 1, an alert will be sent for each packet text # whose reserved bits are not all null. text # If the monitored network uses ECN (or others...), disable this alert text # with CHECK_RESERVED_TCP_FLAGS = 0. text ############################################################################ text Alert when reserved TCP bits are not set to 0 mode scalar 0 name CHECK_URGENT text ############################################################################ text # CHECK_URGENT text ############################################################################ text # According to the RFC, the 'urgent pointer' field of the TCP header and its text # URG flag should be set simultaneously to 0 or not 0. If one of them is null text # but not the other, an alert should be sent. If CHECK_URGENT is set to 1, text # this alarm is sent. text # Practice showed that NMAP for example often set the urgent pointer but text # not the URG flag. Is this some kind of signature ? text ############################################################################ text Enable check for urgent field|URG flag consistency. mode scalar 0 name MAX_NUL_WINDOWS text ############################################################################ text # MAX_NUL_WINDOWS text ############################################################################ text # The maximum number of consecutive nul window acknowledgment from a host text # before triggering an alarm: host's TCP buffer exhausted text ############################################################################ text Max number of consecutive nul window msg from a host. mode scalar 10 name MAX_ACK text ############################################################################ text # MAX_ACK text ############################################################################ text # The maximum number of consecutive desynchronized ACK exchanged between text # 2 hosts in a TCP connection, before triggering an 'ACK storm alert' text # (typical of TCP hijacking). It should not be too large, since desynchronized text # states are anyway not normal, and because new hijacked packets may reset text # the counter. text ############################################################################ text Max number of desynchronized ACKs allowed. mode scalar 3 name TIME_OUT text ############################################################################ text # TIME_OUT text ############################################################################ text # The delay (in seconds) after which a TCP connection which is not text # exchanging packets anymore is considered as dropped. text # Should not exceed a few minutes, to avoid flooding ressources in case of text # heavy half-open (& cie) scans, and to avoid delay in detecting them. text ############################################################################ text Time in seconds after which an inactive TCP connection is dropped by the filter. mode scalar 360 name COUNT_CONNECTIONS text ############################################################################ text # COUNT_CONNECTIONS text ############################################################################ text # Will send an alert every X minutes telling how many TCP connections are text # opened on the monitored ports (ie all ports except UNCHECKED_PORTS). text # Necessary to check that this number is no larger than ~400, otherwise text # the filter cannot be used, due to N-code's lack of efficiency. text ############################################################################ text Wether to show or not how many connections are currently running on the text monitored ports mode scalar 1 name UNCHECKED_PORTS text ############################################################################ text # UNCHECKED_PORTS text ############################################################################ text # The traffic is searched for common scanning patterns (see tcp.desc). text # But some traffic (http, ftp...) sometime use such scanning patterns text # in normal use-case, thus generating lots of false-positives. text # UNCHECKED_PORT will remove any scan alert related with one of the ports text # listed. text # On the other hand, traffic on UNCHECKED_PORT will not be monitored text # for TCP hijacking... text # typically: 80, 21, 110, 25 text ############################################################################ text List of destination port whose traffic will not generate scanning alerts. mode list 21 110 25