Snort mailing list archives
Re: MISC IP Reserved bit set
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 11 Oct 2001 12:12:27 -0400
Actually, this is the *IP* reserved bit, right next to the MF and DF bits in the IP header. We have other rules that look for the TCP reserved bits. Anyway, if you were seeing this traffic you were either seeing something extremely broken sending our traffic (e.g. Windows or a broken router) or someone was purposefully sending you crafted packets. I'd suggest the latter. -Marty "Miller, Toby" wrote:
The reserved bits have nothing to do with the PSH or URG flags. It can be one of two things: 1) Crafted packet. Queso sets these bits when it scans. 2) ECN. Explicit Congestion Notification. RFC 3168, 2884 and 2481 I also wrote a paper on ECN, you can find that at securityfocus under IDS. Toby On Tue, 9 Oct 2001, Jean Michel BARBET wrote:I have used snort for about 2 months now and it is an unvaluable tool both for auditing your network and for learning. Yesterday I got a bunch of : [**] [1:523:1] MISC IP Reserved bit set [**] 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200 (I replaced the real addresses by EXTERNAL_NET and HOME_NET) I got more than 6000 of these within 3 hours, then it stopped... There are many different sources and targets. I run snort V1.8 : Version 1.8-RELEASE (Build 43) By Martin Roesch (roesch () sourcefire com, www.snort.org) => Could somebody explain to me what are these alerts ?It means that there were some of the reserved bits set on some packets coming into your net. I'd guess either URG or PSH. Have a look at W. Richard Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a list. Section 17.3 explains much better than I what they are used for. The question you must figure out is 'Why?' That's not a normal thing for many nets. You should look at the packet payload and see if it looks 'odd' on some of those...Also I am running two different versions of snort on two slightly different machines on the same mirrored port of a switch. These areV1.7and the already mentioned V1.8-build 43. Both of them are dumping core about once a week. V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22 V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes. 1.8.1 has quite a few changes for stability. If you do that, your problems might go away.=> Any idea of what is making snort crash ? Can I help by sending a core file ?Read the BUGS file and follow those instructions instead. :) It's got a set of steps for you to follow. Once you do that, we really don't need a core file sent to the list. Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list= _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC IP Reserved bit set Jean Michel BARBET (Oct 08)
- Re: MISC IP Reserved bit set Erek Adams (Oct 09)
- RE: MISC IP Reserved bit set Ofir Arkin (Oct 15)
- <Possible follow-ups>
- Re: MISC IP Reserved bit set Miller, Toby (Oct 09)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 14)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: downloading rules from snort.org while snort is running on your server. Frontgate Lab (Oct 12)