The Tao of Network Security Monitoring Beyond Intrusion Detection

16. Packet Monkey Heaven

A packet monkey is an analyst who loves to examine packet headers, typically those for layers 3 (mainly IP) and 4 (TCP and UDP, predominantly) of the OSI model. As far as the packet monkey is concerned, the world ends at layer 4. I dedicate this set of cases to the packet monkeys of the world whose only joy is found in separating the normal and suspicious traffic from malicious traffic.

Truncated TCP Options

Let's start by looking at odd headers with an alert generated by the Snort decoder: Truncated Tcp Options. See the alert highlighted in Figure 16.1, a Sguil screenshot. (See Chapter 10 for information on Sguil.)

Figure 16.1. Truncated Tcp Options alert in Sguil

There's no Snort rule to display because this Truncated ...

Get The Tao of Network Security Monitoring Beyond Intrusion Detection now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

The Tao of Network Security Monitoring Beyond Intrusion Detection by

16. Packet Monkey Heaven

Truncated TCP Options

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly