Re: MISC IP Reserved bit set

[Martin Roesch <roesch () sourcefire com>]

Actually, this is the *IP* reserved bit, right next to the MF and DF
bits in the IP header.  We have other rules that look for the TCP
reserved bits.  Anyway, if you were seeing this traffic you were either
seeing something extremely broken sending our traffic (e.g. Windows or a
broken router) or someone was purposefully sending you crafted packets. 
I'd suggest the latter.

      -Marty

"Miller, Toby" wrote:
> The reserved bits have nothing to do with the PSH or URG flags. It can
> be one of two things:
>
> 1) Crafted packet. Queso sets these bits when it scans.
>
> 2) ECN. Explicit Congestion Notification. RFC 3168, 2884 and 2481 I also
> wrote a paper on ECN, you can find that at securityfocus under IDS.
>
>
> Toby
>
> On Tue, 9 Oct 2001, Jean Michel BARBET wrote:
>
> > I have used snort for about 2 months now and it is an unvaluable tool
> > both for auditing your network and for learning.
> >
> > Yesterday I got a bunch of :
> >
> > [**] [1:523:1] MISC IP Reserved bit set [**]
> > 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
> > PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200
> >
> > (I replaced the real addresses by EXTERNAL_NET and HOME_NET)
> > I got more than 6000 of these within 3 hours, then it stopped...
> > There are many different sources and targets.
> >
> > I run snort V1.8 :
> > Version 1.8-RELEASE (Build 43)
> > By Martin Roesch (roesch () sourcefire com, www.snort.org)
> >
> > => Could somebody explain to me what are these alerts ?
>
> It means that there were some of the reserved bits set on some packets
> coming
> into your net.  I'd guess either URG or PSH.  Have a look at W. Richard
> Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a
> list.
> Section 17.3 explains much better than I what they are used for.  The
> question
> you must figure out is 'Why?'  That's not a normal thing for many nets.
> You
> should look at the packet payload and see if it looks 'odd' on some of
> those...
>
> > Also I am running two different versions of snort on two slightly
> > different machines on the same mirrored port of a switch.  These are
> V1.7
> > and the already mentioned V1.8-build 43.
> >
> > Both of them are dumping core about once a week.
> >
> > V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
> > V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8
>
> First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes.  1.8.1
> has
> quite a few changes for stability.  If you do that, your problems might
> go
> away.
>
> > => Any idea of what is making snort crash ? Can I help by sending
> >    a core file ?
>
> Read the BUGS file and follow those instructions instead.  :)  It's got
> a set
> of steps for you to follow.  Once you do that, we really don't need a
> core
> file sent to the list.
>
> Hope this helps!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users