Snort mailing list archives
TCP Data Offset is less than 5
From: "Gabriel L. Somlo" <somlo () acns colostate edu>
Date: Wed, 31 Dec 2003 12:24:51 -0700
Hi I've been getting hammered with this lately: Signature "[snort] (snort_decoder) WARNING: TCP Data Offset is less than 5!" The overwhelming majority of alerts are from hosts that are dialed in over the modem pool. We have a /16 -sized network, the modem pool has a /22 subnet of that, and I'm seeing 1GByte worth of alerts /day from cca. 20 machines on the modem pool (tens of thousands per machine). The curious thing is that it's specific to mahines dialed in over the modems, not a peep from any other box on the network... Does anyone have an idea what might be happening, and -- what I'd most like to figure out -- what's the connection with the modems ! :) Thanks much, and have a Happy New Year ! Gabriel ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Data Offset is less than 5 Gabriel L. Somlo (Dec 31)