Snort mailing list archives
Re: Truncated Tcp Options?
From: Rich Adamson <radamson () routers com>
Date: Tue, 16 Mar 2004 06:48:17 -0600
Thanks for the reference. Are there any known stacks, apps, etc, that are known to trip the alert, or does this option tend to be one of those that might be more oriented towards FYI? ------------------------
Rich, http://marc.theaimsgroup.com/?l=snort-users&m=105144642022660&w=2 Coming only from one site? (with is a .MIL btw, unless you changed the IP), I doubt it's p2p. ypwhich - - - - ypwhich {at} paunix.org "As we know, There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know. - Donald Rumsfeld - - - - On Mon, 15 Mar 2004, Rich Adamson wrote:Can someone help me understand the following alert? (snort v2.1, current rules) snort: [116:55:1] (snort_decoder): Truncated Tcp Options {TCP} 215.144.24.31:80 -> 10.10.91.29:1354 This is from outside -> inside (a response packet). Seems thus far to only be associated with one workstation (or mabe a single remoe site). Not sure how to deal with this. Suggestions? Rich------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------End of Original Message----------------- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Truncated TCP options? Jeff Kell (Jan 21)
- Re: Truncated TCP options? MH (Jan 22)
- <Possible follow-ups>
- Truncated Tcp Options? Rich Adamson (Mar 15)
- Re: Truncated Tcp Options? ypwhich (Mar 16)
- Re: Truncated Tcp Options? Rich Adamson (Mar 16)
- Re: Truncated Tcp Options? Chris Green (Mar 16)
- Re: Truncated Tcp Options? Rich Adamson (Mar 16)
- Re: Truncated Tcp Options? ypwhich (Mar 16)