[Snort-users] MISC IP Reserved bit set

Erek Adams erek at ...577...
Tue Oct 9 07:33:15 EDT 2001

On Tue, 9 Oct 2001, Jean Michel BARBET wrote:

> I have used snort for about 2 months now and it is an unvaluable tool
> both for auditing your network and for learning.
> Yesterday I got a bunch of :
> [**] [1:523:1] MISC IP Reserved bit set [**]
> 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
> PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200
> (I replaced the real addresses by EXTERNAL_NET and HOME_NET)
> I got more than 6000 of these within 3 hours, then it stopped...
> There are many different sources and targets.
> I run snort V1.8 :
> Version 1.8-RELEASE (Build 43)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> => Could somebody explain to me what are these alerts ?

It means that there were some of the reserved bits set on some packets coming
into your net.  I'd guess either URG or PSH.  Have a look at W. Richard
Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a list.
Section 17.3 explains much better than I what they are used for.  The question
you must figure out is 'Why?'  That's not a normal thing for many nets.  You
should look at the packet payload and see if it looks 'odd' on some of

> Also I am running two different versions of snort on two slightly
> different machines on the same mirrored port of a switch.  These are V1.7
> and the already mentioned V1.8-build 43.
> Both of them are dumping core about once a week.
> V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
> V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8

First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes.  1.8.1 has
quite a few changes for stability.  If you do that, your problems might go

> => Any idea of what is making snort crash ? Can I help by sending
>    a core file ?

Read the BUGS file and follow those instructions instead.  :)  It's got a set
of steps for you to follow.  Once you do that, we really don't need a core
file sent to the list.

Hope this helps!

Erek Adams

More information about the Snort-users mailing list