2.70. TCP_FLAG

These log messages refer to the TCP_FLAG (Events concerning the TCP header flags) category.

2.70.1. tcp_flags_set (ID: 03300001)

Default Severity
NOTICE
Log Message
The TCP <good_flag> and <bad_flag> flags are set. Allowing
Explanation
The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
Firewall Action
allow
Recommended Action
If any of these combinations should either be dropped or having the bad flag stripped, specify this in configuration, in the "Settings" sub system.
Revision
1
Parameters
good_flag
bad_flag
Context Parameters
Rule Name
Packet Buffer

2.70.2. tcp_flags_set (ID: 03300002)

Default Severity
WARNING
Log Message
The TCP <good_flag> and <bad_flag> flags are set. Stripping <bad_flag> flag
Explanation
The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG. Removing the "bad" flag.
Firewall Action
strip_bad_flag
Recommended Action
If any of these combinations should either be dropped or ignored, specify this in configuration, in the "Settings" sub system.
Revision
1
Parameters
good_flag
bad_flag
Context Parameters
Rule Name
Packet Buffer

2.70.3. tcp_flag_set (ID: 03300003)

Default Severity
NOTICE
Log Message
The TCP <bad_flag> flag is set. Ignoring
Explanation
The TCP flag is set. Ignoring.
Firewall Action
ignore
Recommended Action
None
Revision
1
Parameters
bad_flag
Context Parameters
Rule Name
Packet Buffer

2.70.4. tcp_flag_set (ID: 03300004)

Default Severity
NOTICE
Log Message
The TCP <bad_flag> flag is set. Stripping
Explanation
A "bad" TCP flag is set. Removing it.
Firewall Action
strip_flag
Recommended Action
None
Revision
1
Parameters
bad_flag
Context Parameters
Rule Name
Packet Buffer

2.70.5. tcp_null_flags (ID: 03300005)

Default Severity
NOTICE
Log Message
Packet has no SYN, ACK, FIN or RST flag set
Explanation
The packet has no SYN, ACK, FIN or RST flag set. Ignoring.
Firewall Action
ignore
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Packet Buffer

2.70.6. tcp_flags_set (ID: 03300008)

Default Severity
WARNING
Log Message
The TCP <good_flag> and <bad_flag> flags are set. Dropping
Explanation
The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
Firewall Action
drop
Recommended Action
If any of these combinations should either be ignored or having the bad flag stripped, specify this in configuration, in the "Settings" sub system.
Revision
1
Parameters
good_flag
bad_flag
Context Parameters
Rule Name
Packet Buffer

2.70.7. tcp_flag_set (ID: 03300009)

Default Severity
WARNING
Log Message
The TCP <bad_flag> flag is set. Dropping
Explanation
The TCP flag is set. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
bad_flag
Context Parameters
Rule Name
Packet Buffer

2.70.8. unexpected_tcp_flags (ID: 03300010)

Default Severity
WARNING
Log Message
Unexpected tcp flags <flags> from <endpoint> during state <state>. Dropping
Explanation
Received unexpected tcp flags during a specific state. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
flags
endpoint
state
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.9. mismatched_syn_resent (ID: 03300011)

Default Severity
WARNING
Log Message
Mismatched syn "resent" with seq <seqno>, expected <origseqno>. Dropping
Explanation
Mismatching sequence number in re-sent SYN. Re-sent SYN packet must have identical sequence number as the original SYN. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
seqno
origseqno
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.10. mismatched_first_ack_seqno (ID: 03300012)

Default Severity
WARNING
Log Message
ACK packet with seq <seqno>. Expected <expectseqno>. Dropping
Explanation
Mismatching sequence numbers. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
seqno
expectseqno
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.11. mismatched_first_ack_seqno (ID: 03300013)

Default Severity
WARNING
Log Message
SYNACK packet with seq <seqno>. Expected <expectseqno>. Dropping
Explanation
Mismatching sequence numbers. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
seqno
expectseqno
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.12. rst_out_of_bounds (ID: 03300015)

Default Severity
WARNING
Log Message
Originator RST seq <seqno> is not in window <winstart>...<winend>. Dropping
Explanation
The RST flag sequence number is not within the receiver window. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
seqno
winstart
winend
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.13. unacceptable_ack (ID: 03300017)

Default Severity
NOTICE
Log Message
TCP acknowledgement <ack> is not in the acceptable range <accstart>-<accend>. Dropping
Explanation
A TCP segment with an unacceptable acknowledgement number was received during state SYN_SENT. The packet will be dropped.
Firewall Action
drop
Recommended Action
None
Revision
1
Parameters
ack
accstart
accend
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.14. rst_without_ack (ID: 03300018)

Default Severity
NOTICE
Log Message
TCP RST segment without ACK during state SYN_SENT. Dropping
Explanation
A TCP segment with the RST flag but not the ACK flag was received during state SYN_SENT. The packet will be dropped.
Firewall Action
drop
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.15. tcp_recv_windows_drained (ID: 03300022)

Default Severity
CRITICAL
Log Message
Out of large TCP receive windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds.
Explanation
The TCP stack could not accept incomming data since it has run out of large TCP receive windows. This event was triggered [num_events] times during the last 10 seconds.
Firewall Action
close
Recommended Action
If the system is configured to use TCP based ALGs, increase the amount of maximum sessions parameter on the associated service.
Revision
1
Parameters
max_windows
[num_events]

2.70.16. tcp_snd_windows_drained (ID: 03300023)

Default Severity
CRITICAL
Log Message
Out of large TCP send windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds.
Explanation
The TCP stack could not send data since it has run out of large TCP send windows. This event was triggered [num_events] times during the last 10 seconds.
Firewall Action
close
Recommended Action
If the system is configured to use TCP based ALGs, increase the amount of maximum sessions parameter on the associated service.
Revision
1
Parameters
max_windows
[num_events]

2.70.17. tcp_get_freesocket_failed (ID: 03300024)

Default Severity
WARNING
Log Message
System was not able to get a free socket. Triggered <num_events> times last 10 seconds.
Explanation
The TCP stack could not get a free socket. This event was triggered [num_events] times during the last 10 seconds.
Firewall Action
None
Recommended Action
None
Revision
1

2.70.18. tcp_seqno_too_low_with_syn (ID: 03300025)

Default Severity
DEBUG
Log Message
TCP sequence number <seqno> is not in the acceptable range <accstart>-<accend>. Dropping
Explanation
A TCP segment with an unacceptable sequence number was received. The packet will be dropped.
Firewall Action
drop
Recommended Action
None
Revision
2
Parameters
seqno
accstart
accend
Context Parameters
Rule Name
Connection
Packet Buffer

2.70.19. tcp_syn_fragmented (ID: 03300026)

Default Severity
NOTICE
Log Message
SYN packet is fragmented
Explanation
The SYN packet is fragmented. Ignoring.
Firewall Action
ignore
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Packet Buffer

2.70.20. tcp_syn_fragmented (ID: 03300027)

Default Severity
NOTICE
Log Message
SYN packet is fragmented. Dropping
Explanation
The SYN packet is fragmented. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Packet Buffer

2.70.21. tcp_syn_data (ID: 03300028)

Default Severity
NOTICE
Log Message
SYN packet contains data
Explanation
The SYN packet contains payload data. Ignoring.
Firewall Action
ignore
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Packet Buffer

2.70.22. tcp_syn_data (ID: 03300029)

Default Severity
NOTICE
Log Message
SYN packet contains data. Dropping
Explanation
The SYN packet contains payload data. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Packet Buffer

2.70.23. tcp_null_flags (ID: 03300030)

Default Severity
WARNING
Log Message
Packet has no SYN, ACK, FIN or RST flag set. Dropping
Explanation
The packet has no SYN, ACK, FIN or RST flag set. Dropping packet.
Firewall Action
drop
Recommended Action
None
Revision
1
Context Parameters
Rule Name
Packet Buffer