[Snort-users] MISC IP Reserved bit set

Martin Roesch roesch at ...1935...
Thu Oct 11 09:10:11 EDT 2001


Actually, this is the *IP* reserved bit, right next to the MF and DF
bits in the IP header.  We have other rules that look for the TCP
reserved bits.  Anyway, if you were seeing this traffic you were either
seeing something extremely broken sending our traffic (e.g. Windows or a
broken router) or someone was purposefully sending you crafted packets. 
I'd suggest the latter.

      -Marty

"Miller, Toby" wrote:
> 
> The reserved bits have nothing to do with the PSH or URG flags. It can
> be one of two things:
> 
> 1) Crafted packet. Queso sets these bits when it scans.
> 
> 2) ECN. Explicit Congestion Notification. RFC 3168, 2884 and 2481 I also
> wrote a paper on ECN, you can find that at securityfocus under IDS.
> 
> 
> Toby
> 
> On Tue, 9 Oct 2001, Jean Michel BARBET wrote:
> 
> > I have used snort for about 2 months now and it is an unvaluable tool
> > both for auditing your network and for learning.
> >
> > Yesterday I got a bunch of :
> >
> > [**] [1:523:1] MISC IP Reserved bit set [**]
> > 10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
> > PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200
> >
> > (I replaced the real addresses by EXTERNAL_NET and HOME_NET)
> > I got more than 6000 of these within 3 hours, then it stopped...
> > There are many different sources and targets.
> >
> > I run snort V1.8 :
> > Version 1.8-RELEASE (Build 43)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> >
> > => Could somebody explain to me what are these alerts ?
> 
> It means that there were some of the reserved bits set on some packets
> coming
> into your net.  I'd guess either URG or PSH.  Have a look at W. Richard
> Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a
> list.
> Section 17.3 explains much better than I what they are used for.  The
> question
> you must figure out is 'Why?'  That's not a normal thing for many nets.
> You
> should look at the packet payload and see if it looks 'odd' on some of
> those...
> 
> > Also I am running two different versions of snort on two slightly
> > different machines on the same mirrored port of a switch.  These are
> V1.7
> > and the already mentioned V1.8-build 43.
> >
> > Both of them are dumping core about once a week.
> >
> > V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
> > V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8
> 
> First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes.  1.8.1
> has
> quite a few changes for stability.  If you do that, your problems might
> go
> away.
> 
> > => Any idea of what is making snort crash ? Can I help by sending
> >    a core file ?
> 
> Read the BUGS file and follow those instructions instead.  :)  It's got
> a set
> of steps for you to follow.  Once you do that, we really don't need a
> core
> file sent to the list.
> 
> Hope this helps!
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list