[Oisf-users] Lots of "TCP duplicated option" (SID 2200037) since upgrade to 3.1.1

Brian Keefer chort at effu.se
Tue Aug 23 23:12:55 UTC 2016

Seems to be working so far (no alerts for TCP duplicated option).

I found that after checking-out and building the latest PFRING I had to add the following to my configure environment: -lpcap -ldag, i.e. LIBS=‘-lrt -lnuma -lpcap -ldag” (this machine has a DAG card and apparently the latest PFRING detects the libs).


On Aug 23, 2016, at 1:49 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Tue, Jul 26, 2016 at 12:07 AM, Brian Keefer <chort at effu.se> wrote:
>> On Jul 25, 2016, at 3:44 PM, Peter Manev <petermanev at gmail.com> wrote:
>>> On Mon, Jul 25, 2016 at 7:15 PM, Brian Keefer <chort at effu.se> wrote:
>>>> I’m curious if anyone else has run into this. Previously I was on 3.0 RC (I don’t remember which one exactly). Ever since I upgrade our sensors to 3.1.1-release I’ve been seeing hundreds of thousands of “TCP duplicated option” alerts per day. I’m in the process of pulling out some PCAPs to try to see what exactly is going on. It appears the vast majority are being generated by Ubuntu boxes running Postfix, and CentOS boxes running Nagios.
>>> It would be very helpful to share the pcap that can be used to further
>>> analyze that case.
>>>> --
>>>> bk
>>> --
>>> Regards,
>>> Peter Manev
>> In the mean time, I have a question about how this event is supposed to get set. I read the code in decode-tcp.c. I'm no expert in C code or in TCP/IP data structures, so it's not clear to me why it's setting a duplicate option event when DecodeTCPOptions finds and option type value that isn't 0. In the one triggering packet I looked at so far, both sides of the handshake set wscale for instance, but tcpdump didn't show that repeating on the same side again, so I'm a bit lost as to what the event is actually supposed to signify.
> Brian -
> A similar issue was reported here -
> https://redmine.openinfosecfoundation.org/issues/1858 and fixed
> through - https://github.com/inliniac/suricata/pull/2189
> Can you try the latest git master and confirm if it fixes the issue for you?
> Thanks
> --
> Regards,
> Peter Manev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160823/1e8bf983/attachment-0002.sig>

More information about the Oisf-users mailing list