Snort mailing list archives

Re: New stream 4 messages in 2.0

From: Chris Green <cmg () sourcefire com>
Date: Mon, 21 Apr 2003 09:03:18 -0400

Russell Fulton <r.fulton () auckland ac nz> writes:

Hi All,
      We have just upgraded to 2.0 and are seeing lots of alerts for these:

(snort_decoder) WARNING: TCP Data Offset is less than 5!
(snort_decoder): T/TCP Detected

Just what triggers these alerts and is there any way to turn them off?

BTW all the "TCP Data Offset is less than 5!" come from three Akamai
boxes housed on our DMZ :(  Those things seem to bend all the rules to
breaking point, sigh...


Mind sending me a packet dump to see what these things are doing? :)



The "T/TCP Detected" all seem to be from incoming connections.


2.0.0:
config disable_ttcp_alerts

2.0.x also accepts

config disable_tcpopt_ttcp_alerts

-- 
Chris Green <cmg () sourcefire com>
Laugh and the world laughs with you, snore and you sleep alone.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

New stream 4 messages in 2.0 Russell Fulton (Apr 15)
- Re: New stream 4 messages in 2.0 Chris Green (Apr 21)
- <Possible follow-ups>
- RE: New stream 4 messages in 2.0 Slighter, Tim (Apr 21)