2.70. TCP

Home Prev	cOS Core 15.00.02 Log Reference Guide	Next

2.70.1. tcp_flags_set (ID: 03300001)

Default Severity: NOTICE
Log Message: The TCP <good_flag> and <bad_flag> flags are set. Allowing
Explanation: The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
Firewall Action: allow
Recommended Action: If any of these combinations should either be dropped or having the bad flag stripped, specify this in configuration, in the "Settings" sub system.
Revision: 1
Parameters: good_flag
bad_flag
Context Parameters: Rule Name
Packet Buffer

2.70.2. tcp_flags_set (ID: 03300002)

Default Severity: WARNING
Log Message: The TCP <good_flag> and <bad_flag> flags are set. Stripping <bad_flag> flag
Explanation: The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG. Removing the "bad" flag.
Firewall Action: strip_bad_flag
Recommended Action: If any of these combinations should either be dropped or ignored, specify this in configuration, in the "Settings" sub system.
Revision: 1
Parameters: good_flag
bad_flag
Context Parameters: Rule Name
Packet Buffer

2.70.3. tcp_flag_set (ID: 03300003)

Default Severity: NOTICE
Log Message: The TCP <bad_flag> flag is set. Ignoring
Explanation: The TCP flag is set. Ignoring.
Firewall Action: ignore
Recommended Action: None
Revision: 1
Parameters: bad_flag
Context Parameters: Rule Name
Packet Buffer

2.70.4. tcp_flag_set (ID: 03300004)

Default Severity: NOTICE
Log Message: The TCP <bad_flag> flag is set. Stripping
Explanation: A "bad" TCP flag is set. Removing it.
Firewall Action: strip_flag
Recommended Action: None
Revision: 1
Parameters: bad_flag
Context Parameters: Rule Name
Packet Buffer

2.70.5. tcp_null_flags (ID: 03300005)

Default Severity: NOTICE
Log Message: Packet has no SYN, ACK, FIN or RST flag set
Explanation: The packet has no SYN, ACK, FIN or RST flag set. Ignoring.
Firewall Action: ignore
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.70.6. tcp_flags_set (ID: 03300008)

Default Severity: WARNING
Log Message: The TCP <good_flag> and <bad_flag> flags are set. Dropping
Explanation: The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
Firewall Action: drop
Recommended Action: If any of these combinations should either be ignored or having the bad flag stripped, specify this in configuration, in the "Settings" sub system.
Revision: 1
Parameters: good_flag
bad_flag
Context Parameters: Rule Name
Packet Buffer

2.70.7. tcp_flag_set (ID: 03300009)

Default Severity: WARNING
Log Message: The TCP <bad_flag> flag is set. Dropping
Explanation: The TCP flag is set. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: bad_flag
Context Parameters: Rule Name
Packet Buffer

2.70.8. unexpected_tcp_flags (ID: 03300010)

Default Severity: WARNING
Log Message: Unexpected tcp flags <flags> from <endpoint> during state <state>. Dropping
Explanation: Received unexpected tcp flags during a specific state. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: flags
endpoint
state
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.9. mismatched_syn_resent (ID: 03300011)

Default Severity: WARNING
Log Message: Mismatched syn "resent" with seq <seqno>, expected <origseqno>. Dropping
Explanation: Mismatching sequence number in re-sent SYN. Re-sent SYN packet must have identical sequence number as the original SYN. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: seqno
origseqno
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.10. mismatched_first_ack_seqno (ID: 03300012)

Default Severity: WARNING
Log Message: ACK packet with seq <seqno>. Expected <expectseqno>. Dropping
Explanation: Mismatching sequence numbers. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: seqno
expectseqno
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.11. mismatched_first_ack_seqno (ID: 03300013)

Default Severity: WARNING
Log Message: SYNACK packet with seq <seqno>. Expected <expectseqno>. Dropping
Explanation: Mismatching sequence numbers. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: seqno
expectseqno
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.12. rst_out_of_bounds (ID: 03300015)

Default Severity: WARNING
Log Message: Originator RST seq <seqno> is not in window <winstart>...<winend>. Dropping
Explanation: The RST flag sequence number is not within the receiver window. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: seqno
winstart
winend
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.13. unacceptable_ack (ID: 03300017)

Default Severity: NOTICE
Log Message: TCP acknowledgement <ack> is not in the acceptable range <accstart>-<accend>. Dropping
Explanation: A TCP segment with an unacceptable acknowledgement number was received during state SYN_SENT. The packet will be dropped.
Firewall Action: drop
Recommended Action: None
Revision: 1
Parameters: ack
accstart
accend
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.14. rst_without_ack (ID: 03300018)

Default Severity: NOTICE
Log Message: TCP RST segment without ACK during state SYN_SENT. Dropping
Explanation: A TCP segment with the RST flag but not the ACK flag was received during state SYN_SENT. The packet will be dropped.
Firewall Action: drop
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.15. tcp_recv_windows_drained (ID: 03300022)

Default Severity: CRITICAL
Log Message: Out of large TCP receive windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds.
Explanation: The TCP stack could not accept incomming data since it has run out of large TCP receive windows. This event was triggered [num_events] times during the last 10 seconds.
Firewall Action: close
Recommended Action: If the system is configured to use TCP based ALGs, increase the amount of maximum sessions parameter on the associated service.
Revision: 1
Parameters: max_windows
[num_events]

2.70.16. tcp_snd_windows_drained (ID: 03300023)

Default Severity: CRITICAL
Log Message: Out of large TCP send windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds.
Explanation: The TCP stack could not send data since it has run out of large TCP send windows. This event was triggered [num_events] times during the last 10 seconds.
Firewall Action: close
Recommended Action: If the system is configured to use TCP based ALGs, increase the amount of maximum sessions parameter on the associated service.
Revision: 1
Parameters: max_windows
[num_events]

2.70.17. tcp_get_freesocket_failed (ID: 03300024)

Default Severity: WARNING
Log Message: System was not able to get a free socket. Triggered <num_events> times last 10 seconds.
Explanation: The TCP stack could not get a free socket. This event was triggered [num_events] times during the last 10 seconds.
Firewall Action: None
Recommended Action: None
Revision: 1

2.70.18. tcp_seqno_too_low_with_syn (ID: 03300025)

Default Severity: DEBUG
Log Message: TCP sequence number <seqno> is not in the acceptable range <accstart>-<accend>. Dropping
Explanation: A TCP segment with an unacceptable sequence number was received. The packet will be dropped.
Firewall Action: drop
Recommended Action: None
Revision: 2
Parameters: seqno
accstart
accend
Context Parameters: Rule Name
Connection
Packet Buffer

2.70.19. tcp_syn_fragmented (ID: 03300026)

Default Severity: NOTICE
Log Message: SYN packet is fragmented
Explanation: The SYN packet is fragmented. Ignoring.
Firewall Action: ignore
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.70.20. tcp_syn_fragmented (ID: 03300027)

Default Severity: NOTICE
Log Message: SYN packet is fragmented. Dropping
Explanation: The SYN packet is fragmented. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.70.21. tcp_syn_data (ID: 03300028)

Default Severity: NOTICE
Log Message: SYN packet contains data
Explanation: The SYN packet contains payload data. Ignoring.
Firewall Action: ignore
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.70.22. tcp_syn_data (ID: 03300029)

Default Severity: NOTICE
Log Message: SYN packet contains data. Dropping
Explanation: The SYN packet contains payload data. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.70.23. tcp_null_flags (ID: 03300030)

Default Severity: WARNING
Log Message: Packet has no SYN, ACK, FIN or RST flag set. Dropping
Explanation: The packet has no SYN, ACK, FIN or RST flag set. Dropping packet.
Firewall Action: drop
Recommended Action: None
Revision: 1
Context Parameters: Rule Name
Packet Buffer

2.70. TCP_FLAG

2.70.1. tcp_flags_set (ID: 03300001)

2.70.2. tcp_flags_set (ID: 03300002)

2.70.3. tcp_flag_set (ID: 03300003)

2.70.4. tcp_flag_set (ID: 03300004)

2.70.5. tcp_null_flags (ID: 03300005)

2.70.6. tcp_flags_set (ID: 03300008)

2.70.7. tcp_flag_set (ID: 03300009)

2.70.8. unexpected_tcp_flags (ID: 03300010)

2.70.9. mismatched_syn_resent (ID: 03300011)

2.70.10. mismatched_first_ack_seqno (ID: 03300012)

2.70.11. mismatched_first_ack_seqno (ID: 03300013)

2.70.12. rst_out_of_bounds (ID: 03300015)

2.70.13. unacceptable_ack (ID: 03300017)

2.70.14. rst_without_ack (ID: 03300018)

2.70.15. tcp_recv_windows_drained (ID: 03300022)

2.70.16. tcp_snd_windows_drained (ID: 03300023)

2.70.17. tcp_get_freesocket_failed (ID: 03300024)

2.70.18. tcp_seqno_too_low_with_syn (ID: 03300025)

2.70.19. tcp_syn_fragmented (ID: 03300026)

2.70.20. tcp_syn_fragmented (ID: 03300027)

2.70.21. tcp_syn_data (ID: 03300028)

2.70.22. tcp_syn_data (ID: 03300029)

2.70.23. tcp_null_flags (ID: 03300030)