Is it possible to inspect TCP reserved bits with Zeek?

Tomek_Koziak · March 23, 2020, 10:09pm

Hi All,

I’m testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP events. Unfortunately without success.

Is it possible to inspect TCP reserved bits with Zeek events? If not is there any other possible way to detect wheter those bits where changed?

Best regards,
Tomasz Koziak

Jon_Siwek · March 24, 2020, 5:57pm

I didn't see any events that currently carry the reserved bits, but it
would be simple to extend existing ones like `new_packet` and
`raw_packet`. You can find an example patch for that in the
`topic/jsiwek/tcp-hdr-reserved-bits` branch here:

https://github.com/zeek/zeek/compare/topic/jsiwek/tcp-hdr-reserved-bits

Let me know if that works for your purposes and I'll turn it into a
pull request.

- Jon

Tomek_Koziak · March 25, 2020, 9:53am

Hi Jon.

Thank you, it’s working properly.
In the first place, I have modified the TCP_Flags.h to catch those bits, but your solution seems to be better.

Tomasz

Topic		Replies	Views
Method to detect tcp urgent flag Zeek	1	139	May 6, 2022
zeek performance with some events activated Zeek	4	100	May 6, 2022
Detection of packets with no TCP flags set Zeek	5	144	May 6, 2022
Help with zeek script Zeek	2	131	May 6, 2022
Zeek script to look for first few packets Zeek	3	204	May 6, 2022

Is it possible to inspect TCP reserved bits with Zeek?

Related topics