Snort mailing list archives
Re: Sudden surge of MISC IP Reserved bit set
From: John Sage <jsage () finchhaven com>
Date: Fri, 10 Aug 2001 10:29:40 -0700
umm..Unless you munged the IP's in your post, this is all happening internal to your network.
What's at 192.168.12.249? Who was on 192.168.12.249 when this was happening? What were they doing? - John Tom Sevy wrote:
This morning, for an unknown reason(s), I am seeing a deluge of MISC IP
Reserved bit setup.
Starting at 9:18, until 9:38 (about 20 minutes) I saw 53,152 of these show
up. 77 Sources, 43 destinations.
Any idea what would cause this? We run a mix of MS & *nix systems.
Here's a sample (minus payload):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~
#(2 - 74518) [2001-08-10 09:30:49] MISC IP Reserved bit set
IPv14: 192.168.12.249 -> 192.168.10.10
hlen=7 TOS=0 dlen=204 ID=32769 flags=0 offset=0 TTL=55 chksum=194
Payload: length = 164
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sudden surge of MISC IP Reserved bit set Tom Sevy (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set Phil Wood (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set Martin Roesch (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set John Sage (Aug 10)
- <Possible follow-ups>
- Re: Sudden surge of MISC IP Reserved bit set Phil Wood (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set Phil Wood (Aug 10)