I have a FreeBSD host which I noticed recently triggering some snort
decoder alerts due to using a TCP window scaling (rfc1323) value of
15. The decoder is tripping because anything greater than 14 is
considered invalid. This text from RFC seems to support it:

Since the max window is 2**S (where S is the scaling shift count)
times at most 2**16 - 1 (the maximum unscaled window), the maximum
window is guaranteed to be < 2*30 if S <= 14.  Thus, the shift
count must be limited to 14 (which allows windows of 2**30 = 1
Gbyte).  If a Window Scale option is received with a shift.cnt
value exceeding 14, the TCP should log the error but use 14
instead of the specified value.

http://www.networksorcery.com/enp/protocol/tcp/option003.htm suggests
the option should only be set on a SYN packet.

Packet data:

11:41:18.424938 IP (tos 0x0, ttl  46, id 58935, offset 0, flags
[none], proto: TCP (6), length: 60) > FP, cksum 0x0900 (correct), 1645233436:1645233436(0)
win 65535 urg 0 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
        0x0000:  4500 003c e637 0000 2e06 4589 89a0 f15a  E..<.7....E....Z
        0x0010:  a5c3 403d 85af 0001 6210 451c 86c4 20ed  [EMAIL PROTECTED]
        0x0020:  a029 ffff 0900 0000 0303 0f01 0204 0109  .)..............
        0x0030:  080a ffff ffff 0000 0000 0402            ............

This packet was generated during a probe of a remote systems echo
service using nc(1). It may have come when the ctrl+c was issued.

net.inet.tcp.rfc1323 is enabled.

The following are sysctl changes in effect on the system:


So, is it indeed wrong for FreeBSD to set a window scale value of 15
or on a non-SYN? Any problems to take care of?


Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.3-PRERELEASE #0: Fri Nov 30 16:05:54 MST 2007
    [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SMP
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU           E5345  @ 2.33GHz (2327.51-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x6f7  Stepping = 7
  AMD Features=0x20100000<NX,LM>
  AMD Features2=0x1<LAHF>
  Cores per package: 4
real memory  = 3219169280 (3070 MB)
avail memory = 3144863744 (2999 MB)
ACPI APIC Table: <DELL   B8K    >
FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
 cpu2 (AP): APIC ID:  2
 cpu3 (AP): APIC ID:  3
 cpu4 (AP): APIC ID:  4
 cpu5 (AP): APIC ID:  5
 cpu6 (AP): APIC ID:  6
 cpu7 (AP): APIC ID:  7
ioapic0: Changing APIC ID to 8
ioapic1: Changing APIC ID to 9
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 24-47 on motherboard
kbd1 at kbdmux0
netsmb_dev: loaded
ath_hal: (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
acpi0: <DELL B8K    > on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
cpu2: <ACPI CPU> on acpi0
cpu3: <ACPI CPU> on acpi0
cpu4: <ACPI CPU> on acpi0
cpu5: <ACPI CPU> on acpi0
cpu6: <ACPI CPU> on acpi0
cpu7: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci1
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci2
pci3: <ACPI PCI bus> on pcib3
pcib4: <PCI-PCI bridge> irq 16 at device 1.0 on pci2
pci4: <PCI bus> on pcib4
pcib5: <ACPI PCI-PCI bridge> at device 0.3 on pci1
pci5: <ACPI PCI bus> on pcib5
fwohci0: <Lucent FW322/323> mem 0xdceff000-0xdcefffff irq 26 at device
5.0 on pci5
fwohci0: OHCI version 1.0 (ROM=1)
fwohci0: No. of Isochronous channels is 8.
fwohci0: EUI64 00:00:d1:00:80:35:7a:57
fwohci0: Phy 1394a available S400, 3 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:00:d1:35:7a:57
fwe0: Ethernet address: 02:00:d1:35:7a:57
fwe0: if_start running deferred for Giant
sbp0: <SBP-2/SCSI over FireWire> on firewire0
fwohci0: Initiate bus reset
fwohci0: BUS reset
fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
pcib6: <ACPI PCI-PCI bridge> at device 3.0 on pci0
pci6: <ACPI PCI bus> on pcib6
pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci7: <ACPI PCI bus> on pcib7
pci7: <display, VGA> at device 0.0 (no driver attached)
pcib8: <ACPI PCI-PCI bridge> at device 5.0 on pci0
pci8: <ACPI PCI bus> on pcib8
pcib9: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci9: <ACPI PCI bus> on pcib9
pcib10: <ACPI PCI-PCI bridge> at device 7.0 on pci0
pci10: <ACPI PCI bus> on pcib10
pcm0: <Intel 631x/632xESB High Definition Audio Controller> mem
0xdfffc000-0xdfffffff irq 16 at device 27.0 on pci0
pcib11: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci11: <ACPI PCI bus> on pcib11
bge0: <Broadcom BCM5752 A2, ASIC rev. 0x6002> mem
0xdccf0000-0xdccfffff irq 16 at device 0.0 on pci11
miibus0: <MII bus> on bge0
brgphy0: <BCM5752 10/100/1000baseTX PHY> on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT,
1000baseT-FDX, auto
bge0: Ethernet address: 00:1a:a0:ac:eb:69
uhci0: <UHCI (generic) USB controller> port 0xff80-0xff9f irq 21 at
device 29.0 on pci0
usb0: <UHCI (generic) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <UHCI (generic) USB controller> port 0xff60-0xff7f irq 22 at
device 29.1 on pci0
usb1: <UHCI (generic) USB controller> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <UHCI (generic) USB controller> port 0xff40-0xff5f irq 18 at
device 29.2 on pci0
usb2: <UHCI (generic) USB controller> on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3: <UHCI (generic) USB controller> port 0xff20-0xff3f irq 23 at
device 29.3 on pci0
usb3: <UHCI (generic) USB controller> on uhci3
usb3: USB revision 1.0
uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xff980800-0xff980bff
irq 21 at device 29.7 on pci0
usb4: waiting for BIOS to give up control
usb4: EHCI version 1.0
usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3
usb4: <EHCI (generic) USB 2.0 controller> on ehci0
usb4: USB revision 2.0
uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
pcib12: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci12: <ACPI PCI bus> on pcib12
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 63XXESB2 UDMA100 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf irq 16 at device
31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
atapci1: <Intel 63XXESB2 SATA300 controller> port
mem 0xff970000-0xff9703ff irq 20 at device 31.2 on pci0
atapci1: AHCI called from vendor specific driver
atapci1: AHCI Version 01.10 controller with 6 ports detected
ata2: <ATA channel 0> on atapci1
ata3: <ATA channel 1> on atapci1
ata4: <ATA channel 2> on atapci1
ata5: <ATA channel 3> on atapci1
ata6: <ATA channel 4> on atapci1
ata7: <ATA channel 5> on atapci1
ata7: port not implemented
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77f irq 7 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
ppbus0: <Parallel port bus> on ppc0
ppi0: <Parallel I/O> on ppbus0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem
0xc0000-0xcbfff,0xcc000-0xcdfff,0xce000-0xd2fff,0xd3000-0xd3fff on
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
uhub5: Dell Dell USB Keyboard Hub, class 9/0, rev 1.10/48.01, addr 2
uhub5: 3 ports with 2 removable, bus powered
ukbd0: Dell Dell USB Keyboard Hub, rev 1.10/48.00, addr 3, iclass 3/1
kbd2 at ukbd0
uhid0: Dell Dell USB Keyboard Hub, rev 1.10/48.00, addr 3, iclass 3/1
ums0: vendor 0x0461 USB Optical Mouse, rev 2.00/2.00, addr 4, iclass 3/1
ums0: 3 buttons and Z dir.
Timecounters tick every 1.000 msec
acd0: DVDR <PHILIPS DVD+/-RW DVD8801/AD21> at ata0-master UDMA33
ad4: 152587MB <WDC WD1600ADFS-75SLR2 21.07Q21> at ata2-master SATA300
ad6: 152587MB <WDC WD1600ADFS-75SLR2 21.07Q21> at ata3-master SATA300
pcm0: <HDA Codec: Sigmatel STAC9220>
pcm0: <HDA Driver Revision: 20071129_0050>
acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00
acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00
ar0: 152585MB <Intel MatrixRAID RAID1> status: READY
ar0: disk0 READY (master) using ad4 at ata2-master
ar0: disk1 READY (mirror) using ad6 at ata3-master
SMP: AP CPU #1 Launched!
SMP: AP CPU #7 Launched!
SMP: AP CPU #2 Launched!
SMP: AP CPU #3 Launched!
SMP: AP CPU #6 Launched!
SMP: AP CPU #5 Launched!
SMP: AP CPU #4 Launched!
cd0 at ata0 bus 0 target 0 lun 0
cd0: <PHILIPS DVD+-RW DVD8801 AD21> Removable CD-ROM SCSI-0 device
cd0: 33.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present
Trying to mount root from ufs:/dev/ar0s1a

Darren Spruell
