These log messages refer to the TCP_FLAG (Events concerning the TCP header flags) category.
2.70.1. tcp_flags_set (ID: 03300001)
- Default Severity
- NOTICE
- Log Message
- The TCP <good_flag> and <bad_flag> flags are set. Allowing
- Explanation
- The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
- Firewall Action
- allow
- Recommended Action
- If any of these combinations should either be dropped or having the bad flag stripped, specify this in configuration, in the
"Settings" sub system.
- Revision
- 1
- Parameters
- good_flag
bad_flag
- Context Parameters
- Rule Name
Packet Buffer
2.70.2. tcp_flags_set (ID: 03300002)
- Default Severity
- WARNING
- Log Message
- The TCP <good_flag> and <bad_flag> flags are set. Stripping <bad_flag> flag
- Explanation
- The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG. Removing the "bad" flag.
- Firewall Action
- strip_bad_flag
- Recommended Action
- If any of these combinations should either be dropped or ignored, specify this in configuration, in the "Settings" sub system.
- Revision
- 1
- Parameters
- good_flag
bad_flag
- Context Parameters
- Rule Name
Packet Buffer
2.70.3. tcp_flag_set (ID: 03300003)
- Default Severity
- NOTICE
- Log Message
- The TCP <bad_flag> flag is set. Ignoring
- Explanation
- The TCP flag is set. Ignoring.
- Firewall Action
- ignore
- Recommended Action
- None
- Revision
- 1
- Parameters
- bad_flag
- Context Parameters
- Rule Name
Packet Buffer
2.70.4. tcp_flag_set (ID: 03300004)
- Default Severity
- NOTICE
- Log Message
- The TCP <bad_flag> flag is set. Stripping
- Explanation
- A "bad" TCP flag is set. Removing it.
- Firewall Action
- strip_flag
- Recommended Action
- None
- Revision
- 1
- Parameters
- bad_flag
- Context Parameters
- Rule Name
Packet Buffer
2.70.5. tcp_null_flags (ID: 03300005)
- Default Severity
- NOTICE
- Log Message
- Packet has no SYN, ACK, FIN or RST flag set
- Explanation
- The packet has no SYN, ACK, FIN or RST flag set. Ignoring.
- Firewall Action
- ignore
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Packet Buffer
2.70.6. tcp_flags_set (ID: 03300008)
- Default Severity
- WARNING
- Log Message
- The TCP <good_flag> and <bad_flag> flags are set. Dropping
- Explanation
- The possible combinations for these flags are: SYN URG, SYN PSH, SYN RST, SYN FIN and FIN URG.
- Firewall Action
- drop
- Recommended Action
- If any of these combinations should either be ignored or having the bad flag stripped, specify this in configuration, in the
"Settings" sub system.
- Revision
- 1
- Parameters
- good_flag
bad_flag
- Context Parameters
- Rule Name
Packet Buffer
2.70.7. tcp_flag_set (ID: 03300009)
- Default Severity
- WARNING
- Log Message
- The TCP <bad_flag> flag is set. Dropping
- Explanation
- The TCP flag is set. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- bad_flag
- Context Parameters
- Rule Name
Packet Buffer
2.70.8. unexpected_tcp_flags (ID: 03300010)
- Default Severity
- WARNING
- Log Message
- Unexpected tcp flags <flags> from <endpoint> during state <state>. Dropping
- Explanation
- Received unexpected tcp flags during a specific state. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- flags
endpoint
state
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.9. mismatched_syn_resent (ID: 03300011)
- Default Severity
- WARNING
- Log Message
- Mismatched syn "resent" with seq <seqno>, expected <origseqno>. Dropping
- Explanation
- Mismatching sequence number in re-sent SYN. Re-sent SYN packet must have identical sequence number as the original SYN. Dropping
packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- seqno
origseqno
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.10. mismatched_first_ack_seqno (ID: 03300012)
- Default Severity
- WARNING
- Log Message
- ACK packet with seq <seqno>. Expected <expectseqno>. Dropping
- Explanation
- Mismatching sequence numbers. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- seqno
expectseqno
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.11. mismatched_first_ack_seqno (ID: 03300013)
- Default Severity
- WARNING
- Log Message
- SYNACK packet with seq <seqno>. Expected <expectseqno>. Dropping
- Explanation
- Mismatching sequence numbers. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- seqno
expectseqno
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.12. rst_out_of_bounds (ID: 03300015)
- Default Severity
- WARNING
- Log Message
- Originator RST seq <seqno> is not in window <winstart>...<winend>. Dropping
- Explanation
- The RST flag sequence number is not within the receiver window. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- seqno
winstart
winend
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.13. unacceptable_ack (ID: 03300017)
- Default Severity
- NOTICE
- Log Message
- TCP acknowledgement <ack> is not in the acceptable range <accstart>-<accend>. Dropping
- Explanation
- A TCP segment with an unacceptable acknowledgement number was received during state SYN_SENT. The packet will be dropped.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Parameters
- ack
accstart
accend
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.14. rst_without_ack (ID: 03300018)
- Default Severity
- NOTICE
- Log Message
- TCP RST segment without ACK during state SYN_SENT. Dropping
- Explanation
- A TCP segment with the RST flag but not the ACK flag was received during state SYN_SENT. The packet will be dropped.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.15. tcp_recv_windows_drained (ID: 03300022)
- Default Severity
- CRITICAL
- Log Message
- Out of large TCP receive windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds.
- Explanation
- The TCP stack could not accept incomming data since it has run out of large TCP receive windows. This event was triggered
[num_events] times during the last 10 seconds.
- Firewall Action
- close
- Recommended Action
- If the system is configured to use TCP based ALGs, increase the amount of maximum sessions parameter on the associated service.
- Revision
- 1
- Parameters
- max_windows
[num_events]
2.70.16. tcp_snd_windows_drained (ID: 03300023)
- Default Severity
- CRITICAL
- Log Message
- Out of large TCP send windows. Maximum windows: <max_windows>. Triggered <num_events> times last 10 seconds.
- Explanation
- The TCP stack could not send data since it has run out of large TCP send windows. This event was triggered [num_events] times
during the last 10 seconds.
- Firewall Action
- close
- Recommended Action
- If the system is configured to use TCP based ALGs, increase the amount of maximum sessions parameter on the associated service.
- Revision
- 1
- Parameters
- max_windows
[num_events]
2.70.17. tcp_get_freesocket_failed (ID: 03300024)
- Default Severity
- WARNING
- Log Message
- System was not able to get a free socket. Triggered <num_events> times last 10 seconds.
- Explanation
- The TCP stack could not get a free socket. This event was triggered [num_events] times during the last 10 seconds.
- Firewall Action
- None
- Recommended Action
- None
- Revision
- 1
2.70.18. tcp_seqno_too_low_with_syn (ID: 03300025)
- Default Severity
- DEBUG
- Log Message
- TCP sequence number <seqno> is not in the acceptable range <accstart>-<accend>. Dropping
- Explanation
- A TCP segment with an unacceptable sequence number was received. The packet will be dropped.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 2
- Parameters
- seqno
accstart
accend
- Context Parameters
- Rule Name
Connection
Packet Buffer
2.70.19. tcp_syn_fragmented (ID: 03300026)
- Default Severity
- NOTICE
- Log Message
- SYN packet is fragmented
- Explanation
- The SYN packet is fragmented. Ignoring.
- Firewall Action
- ignore
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Packet Buffer
2.70.20. tcp_syn_fragmented (ID: 03300027)
- Default Severity
- NOTICE
- Log Message
- SYN packet is fragmented. Dropping
- Explanation
- The SYN packet is fragmented. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Packet Buffer
2.70.21. tcp_syn_data (ID: 03300028)
- Default Severity
- NOTICE
- Log Message
- SYN packet contains data
- Explanation
- The SYN packet contains payload data. Ignoring.
- Firewall Action
- ignore
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Packet Buffer
2.70.22. tcp_syn_data (ID: 03300029)
- Default Severity
- NOTICE
- Log Message
- SYN packet contains data. Dropping
- Explanation
- The SYN packet contains payload data. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Packet Buffer
2.70.23. tcp_null_flags (ID: 03300030)
- Default Severity
- WARNING
- Log Message
- Packet has no SYN, ACK, FIN or RST flag set. Dropping
- Explanation
- The packet has no SYN, ACK, FIN or RST flag set. Dropping packet.
- Firewall Action
- drop
- Recommended Action
- None
- Revision
- 1
- Context Parameters
- Rule Name
Packet Buffer