Recently,Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. (#CVE-2019-11479 : Excess Resource Consumption Due to Low MSS Values (all Linux versions)
We want to detecting this flaw with Zeek,but looks like there’s no way to get the MSS(Maximum segment size) value of TCP Option,any ideas?
It just dawned on me. I did this for CVE-2019-11477 the other day. The below should add “mss” and “sack_ok” fields to your CONN log for all TCP connections.
I’m not great at Zeek scripting, so take this with some caution. I’m sure there are folks here on the list that could better optimize this.