Protocol anomalies

Beyond the common properties and protocol-specific properties, ADM also detects hundreds of anomalies in low-level, transport, and application protocols. All protocol anomaly properties are of type Boolean and are available in the Expression Component page when you are adding an ADM rule.

Table 1: IP
Term Description

ip.too-small

IP packet is too small to contain a valid header.

ip.bad-offset

IP data offset goes past end of packet.

ip.fragmented

IP packet is fragmented.

ip.bad-checksum

IP packet checksum doesn't match data.

ip.bad-length

IP packet totlen field goes past end of packet.
Table 2: TCP
Term Description

tcp.too-small

TCP packet is too small to contain a valid header.

tcp.bad-offset

TCP packet's data offset goes past end of packet.

tcp.unexpected-fin

TCP FIN flag set in non-established state.

tcp.unexpected-syn

TCP SYN flag set in established state.

tcp.duplicate-ack

TCP packet ACKs data that's already been ACKed.

tcp.segment-outsidewindow

TCP packet is outside the window (TCP module's small window, not real window).

tcp.urgent-nonzero-withouturg- flag

TCP urgent field is non-zero but URG flag isn't set.

Table 3: DNS
Term Description

dns.too-small

DNS packet is too small to contain a valid header.

dns.question-name-past-end

DNS question name goes past the end of the packet.

dns.answer-name-past-end

DNS answer name goes past the end of the packet.

dns.ipv4-address-length-wrong

IPv4 address in DNS response is not 4 bytes long.

dns.answer-circular-reference

DNS answer contains circular reference.