Snort mailing list archives
Re: MISC IP Reserved bit set
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 9 Oct 2001 07:32:22 -0700 (PDT)
On Tue, 9 Oct 2001, Jean Michel BARBET wrote:
I have used snort for about 2 months now and it is an unvaluable tool both for auditing your network and for learning. Yesterday I got a bunch of : [**] [1:523:1] MISC IP Reserved bit set [**] 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200 (I replaced the real addresses by EXTERNAL_NET and HOME_NET) I got more than 6000 of these within 3 hours, then it stopped... There are many different sources and targets. I run snort V1.8 : Version 1.8-RELEASE (Build 43) By Martin Roesch (roesch () sourcefire com, www.snort.org) => Could somebody explain to me what are these alerts ?
It means that there were some of the reserved bits set on some packets coming into your net. I'd guess either URG or PSH. Have a look at W. Richard Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a list. Section 17.3 explains much better than I what they are used for. The question you must figure out is 'Why?' That's not a normal thing for many nets. You should look at the packet payload and see if it looks 'odd' on some of those...
Also I am running two different versions of snort on two slightly different machines on the same mirrored port of a switch. These are V1.7 and the already mentioned V1.8-build 43. Both of them are dumping core about once a week. V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22 V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8
First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes. 1.8.1 has quite a few changes for stability. If you do that, your problems might go away.
=> Any idea of what is making snort crash ? Can I help by sending a core file ?
Read the BUGS file and follow those instructions instead. :) It's got a set of steps for you to follow. Once you do that, we really don't need a core file sent to the list. Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC IP Reserved bit set Jean Michel BARBET (Oct 08)
- Re: MISC IP Reserved bit set Erek Adams (Oct 09)
- RE: MISC IP Reserved bit set Ofir Arkin (Oct 15)
- <Possible follow-ups>
- Re: MISC IP Reserved bit set Miller, Toby (Oct 09)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 14)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: downloading rules from snort.org while snort is running on your server. Frontgate Lab (Oct 12)