Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Data Offset is less than 5

From: GDHough <mr6re9 () execulink com>
Date: Thu, 1 Jan 2004 09:20:07 -0500
I had one alert to a browseing nat box:

Generated by ACID v0.9.6b23 on Wed, 24 Dec 2003 14:32:54 -0500

------------------------------------------------------------------------------
#(1 - 2701) [2003-12-24 00:01:59] [snort/46]  (snort_decoder) WARNING: TCP 
Data Offset is less than 5!
IPv4: 63.247.85.10 -> my.inet.addr.200
      hlen=5 TOS=0 dlen=1500 ID=60224 flags=0 offset=0 TTL=47 chksum=17258
TCP:  port=80 -> dport: 44963  flags=2**A*RS* seq=1813803659
      ack=1215956819 off=4 res=4 win=21299 urp=38947 chksum=1522
Payload: none

On Wednesday 31 December 2003 14:24, Gabriel L. Somlo wrote:

Hi

I've been getting hammered with this lately:

Signature "[snort] (snort_decoder) WARNING: TCP Data Offset is less than
5!"

The overwhelming majority of alerts are from hosts that are dialed in
over the modem pool.

We have a /16 -sized network, the modem pool has a /22 subnet of that,
and I'm seeing 1GByte worth of alerts /day from cca. 20 machines on
the modem pool (tens of thousands per machine). The curious thing is
that it's specific to mahines dialed in over the modems, not a peep from
any other box on the network...

Does anyone have an idea what might be happening, and -- what I'd most
like to figure out -- what's the connection with the modems ! :)


Thanks much, and have a Happy New Year !

Gabriel


farmer6re9
-- 
Eating Crow is better with MyCrowSauce



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: