[Snort-users] weird message in logs

Erek Adams erek at ...577...
Sat Sep 22 07:05:02 EDT 2001


On 21 Sep 2001, Richard wrote:

> i recently upgraded to the snort 1.8.1 relase and now in my logs i keep
> getting a weird message like
>
>
> snort[25617]: MISC IP Reserved bit set [1:523:1] :  YYY.YYY.YYY.YYY ->
> XXX.XXX.XXX.XXX
>
> everytime i connect to anything .. including a webpage or just even
> checking my email. The XXX is my ip and the YYY is the site i am
> connecting to. What does this mean? is there something i can do .. other
> than commenting out that rule.. that i can change or reconfigure?


That is odd.  Are you using a proxy or a nat device between you and the world?
Perhaps your ISP has a transparent web proxy?

What that is showing is that the site you connected to ( Y ), is sending back
a packet with a reserved bit flag turned on.  That's damned wierd if it's from
each an every IP you connect to.  I can't think of a valid reason that would
cause that to happen.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list