Re: Some odd traffic.

[twig les <twigles () yahoo com>]

--- Matt Linton <mlinton () email arc nasa gov> wrote:
> Has anyone seen traffic like this before?  It's a little bit
> odd to see 
> TCP port 0 -> Port 0 across the router. Especially with A and
> R flags, no?
>
> [**] (snort_decoder) WARNING: TCP Data Offset is less than 5!
> [**]
> 12/11-16:28:18.618241 192.168.20.81:0 -> 10.0.2.5:0
> TCP TTL:128 TOS:0x0 ID:18920 IpLen:20 DgmLen:136
> *2UA*R** Seq: 0x12502710  Ack: 0x103C225  Win: 0xF437  TcpLen:
> 12  
> UrgPtr: 0xFFFF

I get 0.0.0.0:0 alerts sometimes and when I check it out it's
our firewall spitting out TCP packets with bad checksums.  May
not be your problem, but worth checking out.  Though I must say
that looking at CAM tables for a specific MAC address on a core
switch sucks.

=====
-----------------------------------------------------------
Get a taste of Religion ... eat a priest!       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users