Snort mailing list archives
Re: tcp_decode logging
From: vulnerable <vulnerable () gmail com>
Date: Thu, 13 Apr 2006 22:02:35 -0400
Multiple sources but appears to be confined to just two subnets, each talking to random hosts on the internet. On 4/13/06, Will Metcalf <william.metcalf () gmail com> wrote:
Are the alerts being generated from one source in particular? If so are the alerts being generated when that source is communicating with another internal host? Regards, Will On 4/13/06, vulnerable <vulnerable () gmail com> wrote:Recently i've been recieving lots of 'tcp experimental options' alerts through the tcp_decoder. I am using barnyard w/ unified logging however the tcp options are not being logged. Is this by design? I can't find any firm answers. I'd like to enable this if I can. And since this isn't being logged I can't find the cause, I'm assuming it's a false positive though. Random packet captures show the options such as: | 02 04 05 78 01 01 04 02 4c 0a 00 40 01 01 0a 70 01 1e 00 05 01 00 | which ethereal decodes as MSS 1400 NOP NOP SACK Unknown 0x4c NOP EOL But I'm only assuming this is the bad packet since none of the flagged packets are being logged by snort... Is it recommended that I disable this alert w/ config disable_tcpopt_experimental_alerts? Still, I'd prefer to fix or understand the issue before disabling the alert. What are the general causes of these experimental options? tia ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scriptinglanguagethat extends applications into web and mobile media. Attend the livewebcastand join the prime developer group breaking into this new codingterritory!http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listsnort-users
Current thread:
- tcp_decode logging vulnerable (Apr 13)
- Re: tcp_decode logging Will Metcalf (Apr 13)
- Re: tcp_decode logging vulnerable (Apr 13)
- Re: tcp_decode logging Will Metcalf (Apr 13)