Snort mailing list archives
Re: Some odd traffic.
From: twig les <twigles () yahoo com>
Date: Fri, 12 Dec 2003 09:34:26 -0800 (PST)
--- Matt Linton <mlinton () email arc nasa gov> wrote:
Has anyone seen traffic like this before? It's a little bit odd to see TCP port 0 -> Port 0 across the router. Especially with A and R flags, no? [**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**] 12/11-16:28:18.618241 192.168.20.81:0 -> 10.0.2.5:0 TCP TTL:128 TOS:0x0 ID:18920 IpLen:20 DgmLen:136 *2UA*R** Seq: 0x12502710 Ack: 0x103C225 Win: 0xF437 TcpLen: 12 UrgPtr: 0xFFFF
I get 0.0.0.0:0 alerts sometimes and when I check it out it's our firewall spitting out TCP packets with bad checksums. May not be your problem, but worth checking out. Though I must say that looking at CAM tables for a specific MAC address on a core switch sucks. ===== ----------------------------------------------------------- Get a taste of Religion ... eat a priest! ----------------------------------------------------------- __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some odd traffic. Matt Linton (Dec 12)
- Re: Some odd traffic. twig les (Dec 12)
- Upgrading Snortalog.pl v1.9 to v2.0.0??? Snortty (Dec 16)
- Re: Upgrading Snortalog.pl v1.9 to v2.0.0??? jérémy chartier (Dec 16)
- oinkmaster.conf enterred disablesid - get enbalbed Snortty (Dec 16)
- Re: oinkmaster.conf enterred disablesid - get enbalbed Andreas Östling (Dec 16)
- Upgrading Snortalog.pl v1.9 to v2.0.0??? Snortty (Dec 16)
- Re: Some odd traffic. twig les (Dec 12)