Truncated TCP Options

[Paul Schmehl <pauls () utdallas edu>]

I got a bunch of these today, so I did some research on them, including
the mailing list archives and the RFCs.  Can't say I *fully* understand
them, and a question has arisen that I need an answer to.

In looking at the ACID display of these alerts, I noticed that there
*is* an options field displayed, but it's empty (it actually reads
"none").  Is this a problem with ACID not parsing the data correctly? 
(I assume that's the most likely cause.)  Or is snort not reporting the
options even though it detects that there's a problem with them?

Another thing that I noticed is that the src is one of our web servers
and the dest is the same address for over 8700 of the alerts.  Anyone
want to speculate as to what the cause might be?  The server is a
Solaris box running Apache, and I'm sure it's not misconfigured.  Could
a bad request from a client cause this kind of alert?

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users