O'Reilly logo

The Tao of Network Security Monitoring Beyond Intrusion Detection by Richard Bejtlich

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

16. Packet Monkey Heaven

A packet monkey is an analyst who loves to examine packet headers, typically those for layers 3 (mainly IP) and 4 (TCP and UDP, predominantly) of the OSI model. As far as the packet monkey is concerned, the world ends at layer 4. I dedicate this set of cases to the packet monkeys of the world whose only joy is found in separating the normal and suspicious traffic from malicious traffic.

Truncated TCP Options

Let's start by looking at odd headers with an alert generated by the Snort decoder: Truncated Tcp Options. See the alert highlighted in Figure 16.1, a Sguil screenshot. (See Chapter 10 for information on Sguil.)

Figure 16.1. Truncated Tcp Options alert in Sguil

There's no Snort rule to display because this Truncated ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required