[Snort-users] MISC IP Reserved bit set
erek at ...577...
Tue Oct 9 07:33:15 EDT 2001
On Tue, 9 Oct 2001, Jean Michel BARBET wrote:
> I have used snort for about 2 months now and it is an unvaluable tool
> both for auditing your network and for learning.
> Yesterday I got a bunch of :
> [**] [1:523:1] MISC IP Reserved bit set [**]
> 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
> PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200
> (I replaced the real addresses by EXTERNAL_NET and HOME_NET)
> I got more than 6000 of these within 3 hours, then it stopped...
> There are many different sources and targets.
> I run snort V1.8 :
> Version 1.8-RELEASE (Build 43)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> => Could somebody explain to me what are these alerts ?
It means that there were some of the reserved bits set on some packets coming
into your net. I'd guess either URG or PSH. Have a look at W. Richard
Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a list.
Section 17.3 explains much better than I what they are used for. The question
you must figure out is 'Why?' That's not a normal thing for many nets. You
should look at the packet payload and see if it looks 'odd' on some of
> Also I am running two different versions of snort on two slightly
> different machines on the same mirrored port of a switch. These are V1.7
> and the already mentioned V1.8-build 43.
> Both of them are dumping core about once a week.
> V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
> V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8
First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes. 1.8.1 has
quite a few changes for stability. If you do that, your problems might go
> => Any idea of what is making snort crash ? Can I help by sending
> a core file ?
Read the BUGS file and follow those instructions instead. :) It's got a set
of steps for you to follow. Once you do that, we really don't need a core
file sent to the list.
Hope this helps!
More information about the Snort-users