[Snort-users] weird message in logs
erek at ...577...
Sat Sep 22 07:05:02 EDT 2001
On 21 Sep 2001, Richard wrote:
> i recently upgraded to the snort 1.8.1 relase and now in my logs i keep
> getting a weird message like
> snort: MISC IP Reserved bit set [1:523:1] : YYY.YYY.YYY.YYY ->
> everytime i connect to anything .. including a webpage or just even
> checking my email. The XXX is my ip and the YYY is the site i am
> connecting to. What does this mean? is there something i can do .. other
> than commenting out that rule.. that i can change or reconfigure?
That is odd. Are you using a proxy or a nat device between you and the world?
Perhaps your ISP has a transparent web proxy?
What that is showing is that the site you connected to ( Y ), is sending back
a packet with a reserved bit flag turned on. That's damned wierd if it's from
each an every IP you connect to. I can't think of a valid reason that would
cause that to happen.
More information about the Snort-users