TCP Data Offset is less than 5

["Gabriel L. Somlo" <somlo () acns colostate edu>]

Hi

I've been getting hammered with this lately:

Signature "[snort] (snort_decoder) WARNING: TCP Data Offset is less than 5!" 

The overwhelming majority of alerts are from hosts that are dialed in
over the modem pool.

We have a /16 -sized network, the modem pool has a /22 subnet of that,
and I'm seeing 1GByte worth of alerts /day from cca. 20 machines on
the modem pool (tens of thousands per machine). The curious thing is
that it's specific to mahines dialed in over the modems, not a peep from
any other box on the network...

Does anyone have an idea what might be happening, and -- what I'd most
like to figure out -- what's the connection with the modems ! :)


Thanks much, and have a Happy New Year !

Gabriel


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users