I have a FreeBSD host which I noticed recently triggering some snort decoder alerts due to using a TCP window scaling (rfc1323) value of 15. The decoder is tripping because anything greater than 14 is considered invalid. This text from RFC seems to support it:
Since the max window is 2**S (where S is the scaling shift count) times at most 2**16 - 1 (the maximum unscaled window), the maximum window is guaranteed to be < 2*30 if S <= 14. Thus, the shift count must be limited to 14 (which allows windows of 2**30 = 1 Gbyte). If a Window Scale option is received with a shift.cnt value exceeding 14, the TCP should log the error but use 14 instead of the specified value. http://www.networksorcery.com/enp/protocol/tcp/option003.htm suggests the option should only be set on a SYN packet. Packet data: 11:41:18.424938 IP (tos 0x0, ttl 46, id 58935, offset 0, flags [none], proto: TCP (6), length: 60) 137.160.241.90.34223 > 165.195.64.61.1: FP, cksum 0x0900 (correct), 1645233436:1645233436(0) win 65535 urg 0 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK> 0x0000: 4500 003c e637 0000 2e06 4589 89a0 f15a E..<.7....E....Z 0x0010: a5c3 403d 85af 0001 6210 451c 86c4 20ed [EMAIL PROTECTED] 0x0020: a029 ffff 0900 0000 0303 0f01 0204 0109 .).............. 0x0030: 080a ffff ffff 0000 0000 0402 ............ This packet was generated during a probe of a remote systems echo service using nc(1). It may have come when the ctrl+c was issued. net.inet.tcp.rfc1323 is enabled. The following are sysctl changes in effect on the system: kern.ipc.shmmax=67108864 kern.ipc.shmall=32768 vfs.usermount=1 net.inet.tcp.sendspace=65536 net.inet.tcp.recvspace=65536 kern.ipc.nmbclusters=32768 So, is it indeed wrong for FreeBSD to set a window scale value of 15 or on a non-SYN? Any problems to take care of? DS Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.3-PRERELEASE #0: Fri Nov 30 16:05:54 MST 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SMP Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU E5345 @ 2.33GHz (2327.51-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x6f7 Stepping = 7 Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> Features2=0x4e3bd<SSE3,RSVD2,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA> AMD Features=0x20100000<NX,LM> AMD Features2=0x1<LAHF> Cores per package: 4 real memory = 3219169280 (3070 MB) avail memory = 3144863744 (2999 MB) ACPI APIC Table: <DELL B8K > FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 cpu2 (AP): APIC ID: 2 cpu3 (AP): APIC ID: 3 cpu4 (AP): APIC ID: 4 cpu5 (AP): APIC ID: 5 cpu6 (AP): APIC ID: 6 cpu7 (AP): APIC ID: 7 ioapic0: Changing APIC ID to 8 ioapic1: Changing APIC ID to 9 ioapic0 <Version 2.0> irqs 0-23 on motherboard ioapic1 <Version 2.0> irqs 24-47 on motherboard kbd1 at kbdmux0 netsmb_dev: loaded ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: <DELL B8K > on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0 Timecounter "HPET" frequency 14318180 Hz quality 900 cpu0: <ACPI CPU> on acpi0 cpu1: <ACPI CPU> on acpi0 cpu2: <ACPI CPU> on acpi0 cpu3: <ACPI CPU> on acpi0 cpu4: <ACPI CPU> on acpi0 cpu5: <ACPI CPU> on acpi0 cpu6: <ACPI CPU> on acpi0 cpu7: <ACPI CPU> on acpi0 acpi_button0: <Power Button> on acpi0 pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0 pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0 pci1: <ACPI PCI bus> on pcib1 pcib2: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci1 pci2: <ACPI PCI bus> on pcib2 pcib3: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci2 pci3: <ACPI PCI bus> on pcib3 pcib4: <PCI-PCI bridge> irq 16 at device 1.0 on pci2 pci4: <PCI bus> on pcib4 pcib5: <ACPI PCI-PCI bridge> at device 0.3 on pci1 pci5: <ACPI PCI bus> on pcib5 fwohci0: <Lucent FW322/323> mem 0xdceff000-0xdcefffff irq 26 at device 5.0 on pci5 fwohci0: OHCI version 1.0 (ROM=1) fwohci0: No. of Isochronous channels is 8. fwohci0: EUI64 00:00:d1:00:80:35:7a:57 fwohci0: Phy 1394a available S400, 3 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: <IEEE1394(FireWire) bus> on fwohci0 fwe0: <Ethernet over FireWire> on firewire0 if_fwe0: Fake Ethernet address: 02:00:d1:35:7a:57 fwe0: Ethernet address: 02:00:d1:35:7a:57 fwe0: if_start running deferred for Giant sbp0: <SBP-2/SCSI over FireWire> on firewire0 fwohci0: Initiate bus reset fwohci0: BUS reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) pcib6: <ACPI PCI-PCI bridge> at device 3.0 on pci0 pci6: <ACPI PCI bus> on pcib6 pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0 pci7: <ACPI PCI bus> on pcib7 pci7: <display, VGA> at device 0.0 (no driver attached) pcib8: <ACPI PCI-PCI bridge> at device 5.0 on pci0 pci8: <ACPI PCI bus> on pcib8 pcib9: <ACPI PCI-PCI bridge> at device 6.0 on pci0 pci9: <ACPI PCI bus> on pcib9 pcib10: <ACPI PCI-PCI bridge> at device 7.0 on pci0 pci10: <ACPI PCI bus> on pcib10 pcm0: <Intel 631x/632xESB High Definition Audio Controller> mem 0xdfffc000-0xdfffffff irq 16 at device 27.0 on pci0 pcib11: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0 pci11: <ACPI PCI bus> on pcib11 bge0: <Broadcom BCM5752 A2, ASIC rev. 0x6002> mem 0xdccf0000-0xdccfffff irq 16 at device 0.0 on pci11 miibus0: <MII bus> on bge0 brgphy0: <BCM5752 10/100/1000baseTX PHY> on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge0: Ethernet address: 00:1a:a0:ac:eb:69 uhci0: <UHCI (generic) USB controller> port 0xff80-0xff9f irq 21 at device 29.0 on pci0 uhci0: [GIANT-LOCKED] usb0: <UHCI (generic) USB controller> on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: <UHCI (generic) USB controller> port 0xff60-0xff7f irq 22 at device 29.1 on pci0 uhci1: [GIANT-LOCKED] usb1: <UHCI (generic) USB controller> on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2: <UHCI (generic) USB controller> port 0xff40-0xff5f irq 18 at device 29.2 on pci0 uhci2: [GIANT-LOCKED] usb2: <UHCI (generic) USB controller> on uhci2 usb2: USB revision 1.0 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3: <UHCI (generic) USB controller> port 0xff20-0xff3f irq 23 at device 29.3 on pci0 uhci3: [GIANT-LOCKED] usb3: <UHCI (generic) USB controller> on uhci3 usb3: USB revision 1.0 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0: <EHCI (generic) USB 2.0 controller> mem 0xff980800-0xff980bff irq 21 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] usb4: waiting for BIOS to give up control usb4: EHCI version 1.0 usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3 usb4: <EHCI (generic) USB 2.0 controller> on ehci0 usb4: USB revision 2.0 uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered pcib12: <ACPI PCI-PCI bridge> at device 30.0 on pci0 pci12: <ACPI PCI bus> on pcib12 isab0: <PCI-ISA bridge> at device 31.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel 63XXESB2 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf irq 16 at device 31.1 on pci0 ata0: <ATA channel 0> on atapci0 ata1: <ATA channel 1> on atapci0 atapci1: <Intel 63XXESB2 SATA300 controller> port 0xfe00-0xfe07,0xfe10-0xfe13,0xfe20-0xfe27,0xfe30-0xfe33,0xfec0-0xfedf mem 0xff970000-0xff9703ff irq 20 at device 31.2 on pci0 atapci1: AHCI called from vendor specific driver atapci1: AHCI Version 01.10 controller with 6 ports detected ata2: <ATA channel 0> on atapci1 ata3: <ATA channel 1> on atapci1 ata4: <ATA channel 2> on atapci1 ata5: <ATA channel 3> on atapci1 ata6: <ATA channel 4> on atapci1 ata7: <ATA channel 5> on atapci1 ata7: port not implemented pci0: <serial bus, SMBus> at device 31.3 (no driver attached) fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77f irq 7 on acpi0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold ppbus0: <Parallel port bus> on ppc0 ppi0: <Parallel I/O> on ppbus0 plip0: <PLIP network interface> on ppbus0 lpt0: <Printer> on ppbus0 lpt0: Interrupt-driven port sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A pmtimer0 on isa0 orm0: <ISA Option ROMs> at iomem 0xc0000-0xcbfff,0xcc000-0xcdfff,0xce000-0xd2fff,0xd3000-0xd3fff on isa0 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 atkbd0: <AT Keyboard> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 uhub5: Dell Dell USB Keyboard Hub, class 9/0, rev 1.10/48.01, addr 2 uhub5: 3 ports with 2 removable, bus powered ukbd0: Dell Dell USB Keyboard Hub, rev 1.10/48.00, addr 3, iclass 3/1 kbd2 at ukbd0 uhid0: Dell Dell USB Keyboard Hub, rev 1.10/48.00, addr 3, iclass 3/1 ums0: vendor 0x0461 USB Optical Mouse, rev 2.00/2.00, addr 4, iclass 3/1 ums0: 3 buttons and Z dir. Timecounters tick every 1.000 msec acd0: DVDR <PHILIPS DVD+/-RW DVD8801/AD21> at ata0-master UDMA33 ad4: 152587MB <WDC WD1600ADFS-75SLR2 21.07Q21> at ata2-master SATA300 ad6: 152587MB <WDC WD1600ADFS-75SLR2 21.07Q21> at ata3-master SATA300 pcm0: <HDA Codec: Sigmatel STAC9220> pcm0: <HDA Driver Revision: 20071129_0050> acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 ar0: 152585MB <Intel MatrixRAID RAID1> status: READY ar0: disk0 READY (master) using ad4 at ata2-master ar0: disk1 READY (mirror) using ad6 at ata3-master SMP: AP CPU #1 Launched! SMP: AP CPU #7 Launched! SMP: AP CPU #2 Launched! SMP: AP CPU #3 Launched! SMP: AP CPU #6 Launched! SMP: AP CPU #5 Launched! SMP: AP CPU #4 Launched! cd0 at ata0 bus 0 target 0 lun 0 cd0: <PHILIPS DVD+-RW DVD8801 AD21> Removable CD-ROM SCSI-0 device cd0: 33.000MB/s transfers cd0: Attempt to query device size failed: NOT READY, Medium not present Trying to mount root from ufs:/dev/ar0s1a -- Darren Spruell [EMAIL PROTECTED] _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"