hi. i hv a broadband router infront of me with 2 box(one XP, one linux) in my local network.. and i still got this IDS msg saying Invalid TCP Option.. isn't the router is acting as a firwall already.. how can the packet pass the router and send to my XP?
how can i detect the internal ip address of a network with a firewall like router or checkpoint around?
December 10th, 2003, 03:57 PM
Use Ethereal or TCPDump to look at the flags in the packets that trigger the alert. They are almost certainly not set to SYN alone and are probably a response to something your machine sent out. The responding machine is setting some IP option that is triggering the IDS rule.
December 11th, 2003, 02:45 PM
ermm.. i don really understand u.. sorry...
December 11th, 2003, 03:02 PM
Well..... Er..... This is a rather large subject to go into......
I will simply say that you are probably in no danger whatsoever and leave it at that for now.
December 16th, 2003, 03:10 PM
ok i am fine with it.. but theoritically, how the packet managed to get into my router?
December 16th, 2003, 04:21 PM
Basically, it's not the business of the routers to be looking at and making decisions about the IP options some machine decides to set. So if your machine requests something from a server on the net and the server replies with some "odd" IP options the packet is going to get back to you regardless. What you are seeing is your IDS, whose job it is to look at such things and react, examining the packet and determining that the IP options are, indeed, "odd" and is dutifully reporting it to you.
If you take a look at the log of the packets in the IDS you should be able to see that the flags set are not simply SYN, it will probably be SYN in combination with ACK, PSH or whatever though it may be a FIN combination too. In either case, assuming the only flags set is not SYN, then the packets are responses to valid connections made by one of your boxes and thus the firewall will allow them to pass. Were they only SYN packets then the firewall should be dropping them and if it isn't then it isn't working or you have some ports forwarded through the firewall to internal machines.
To be really sure you need to put a packet sniffer on the inside of the network and examine the packets it logs to determine what exactly is going on. If you are having a problem reading the packet dumps then sanitize them and post them here and we'll all have a look.