[Oisf-users] Lots of "TCP duplicated option" (SID 2200037) since upgrade to 3.1.1

Peter Manev petermanev at gmail.com
Tue Aug 23 08:49:57 UTC 2016

On Tue, Jul 26, 2016 at 12:07 AM, Brian Keefer <chort at effu.se> wrote:
> On Jul 25, 2016, at 3:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>> On Mon, Jul 25, 2016 at 7:15 PM, Brian Keefer <chort at effu.se> wrote:
>>> I’m curious if anyone else has run into this. Previously I was on 3.0 RC (I don’t remember which one exactly). Ever since I upgrade our sensors to 3.1.1-release I’ve been seeing hundreds of thousands of “TCP duplicated option” alerts per day. I’m in the process of pulling out some PCAPs to try to see what exactly is going on. It appears the vast majority are being generated by Ubuntu boxes running Postfix, and CentOS boxes running Nagios.
>> It would be very helpful to share the pcap that can be used to further
>> analyze that case.
>>> --
>>> bk
>> --
>> Regards,
>> Peter Manev
> In the mean time, I have a question about how this event is supposed to get set. I read the code in decode-tcp.c. I'm no expert in C code or in TCP/IP data structures, so it's not clear to me why it's setting a duplicate option event when DecodeTCPOptions finds and option type value that isn't 0. In the one triggering packet I looked at so far, both sides of the handshake set wscale for instance, but tcpdump didn't show that repeating on the same side again, so I'm a bit lost as to what the event is actually supposed to signify.

Brian -
A similar issue was reported here -
https://redmine.openinfosecfoundation.org/issues/1858 and fixed
through - https://github.com/inliniac/suricata/pull/2189

Can you try the latest git master and confirm if it fixes the issue for you?


Peter Manev

More information about the Oisf-users mailing list