Snort mailing list archives
RE: MISC IP Reserved bit set
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 15 Oct 2001 12:57:07 +0200
Jean, There is no reason what so ever for the IP unused bit to be set (this is the one next to the MF and DF). With my ICMP research I did use it to identify several operating systems according to their answers for Echo requests with the IP unused bit set. The packet is crafted in my opinion. TTL is set to 153 IP ID is 153... Protocol Number 204... G :) Maybe an NMAP protocol scan, or something similar. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jean Michel BARBET Sent: ג 09 אוקטובר 2001 8:16 To: snort-users () lists sourceforge net Subject: [Snort-users] MISC IP Reserved bit set Hello, I have used snort for about 2 months now and it is an unvaluable tool both for auditing your network and for learning. Yesterday I got a bunch of : [**] [1:523:1] MISC IP Reserved bit set [**] 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200 (I replaced the real addresses by EXTERNAL_NET and HOME_NET) I got more than 6000 of these within 3 hours, then it stopped... There are many different sources and targets. I run snort V1.8 : Version 1.8-RELEASE (Build 43) By Martin Roesch (roesch () sourcefire com, www.snort.org) => Could somebody explain to me what are these alerts ? Also I am running two different versions of snort on two slightly different machines on the same mirrored port of a switch. These are V1.7 and the already mentioned V1.8-build 43. Both of them are dumping core about once a week. V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22 V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8 => Any idea of what is making snort crash ? Can I help by sending a core file ? Thank you. Jean-Michel BARBET. -- ------------------------------------------------------------------------ Jean-michel BARBET | Tel: +33 (0)2 51 85 84 86 Laboratoire SUBATECH Nantes France | Fax: +33 (0)2 51 85 84 79 CNRS-IN2P3/Ecole des Mines/Universite | E-Mail: barbet () subatech in2p3 fr ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC IP Reserved bit set Jean Michel BARBET (Oct 08)
- Re: MISC IP Reserved bit set Erek Adams (Oct 09)
- RE: MISC IP Reserved bit set Ofir Arkin (Oct 15)
- <Possible follow-ups>
- Re: MISC IP Reserved bit set Miller, Toby (Oct 09)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 14)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: downloading rules from snort.org while snort is running on your server. Frontgate Lab (Oct 12)