[Snort-users] MISC IP Reserved bit set

Jean Michel BARBET Jean-Michel.Barbet at ...3724...
Mon Oct 8 23:17:09 EDT 2001


I have used snort for about 2 months now and it is an unvaluable tool 
both for auditing your network and for learning. 

Yesterday I got a bunch of :

[**] [1:523:1] MISC IP Reserved bit set [**]
10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200

(I replaced the real addresses by EXTERNAL_NET and HOME_NET)
I got more than 6000 of these within 3 hours, then it stopped...
There are many different sources and targets.

I run snort V1.8 :
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch at ...1935..., www.snort.org)

=> Could somebody explain to me what are these alerts ?

Also I am running two different versions of snort on two slightly
machines on the same mirrored port of a switch. 
These are V1.7 and the already mentioned V1.8-build 43. 

Both of them are dumping core about once a week. 

V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8

=> Any idea of what is making snort crash ? Can I help by sending 
   a core file ?

Thank you.

Jean-Michel BARBET.

Jean-michel BARBET                    | Tel: +33 (0)2 51 85 84 86 
Laboratoire SUBATECH Nantes France    | Fax: +33 (0)2 51 85 84 79
CNRS-IN2P3/Ecole des Mines/Universite | E-Mail: barbet at ...3724...

More information about the Snort-users mailing list