[Snort-users] weird message in logs

Richard rwitt9 at ...530...
Sat Sep 22 07:24:02 EDT 2001


well i am on Cox cable. But i have had it for over a year and the
messages just started showing up the other day when i upgraded. I know
that Cox uses a web proxy to connect to one specific site that is for
Cox users only. But this happens now even when i connect to my work
email or any other site on the web. I'll go back and look thru my rules
and see if i have something weird set that i shouldnt.

rich

On Sat, 2001-09-22 at 09:04, Erek Adams wrote:
> On 21 Sep 2001, Richard wrote:
> 
> > i recently upgraded to the snort 1.8.1 relase and now in my logs i keep
> > getting a weird message like
> >
> >
> > snort[25617]: MISC IP Reserved bit set [1:523:1] :  YYY.YYY.YYY.YYY ->
> > XXX.XXX.XXX.XXX
> >
> > everytime i connect to anything .. including a webpage or just even
> > checking my email. The XXX is my ip and the YYY is the site i am
> > connecting to. What does this mean? is there something i can do .. other
> > than commenting out that rule.. that i can change or reconfigure?
> 
> 
> That is odd.  Are you using a proxy or a nat device between you and the world?
> Perhaps your ISP has a transparent web proxy?
> 
> What that is showing is that the site you connected to ( Y ), is sending back
> a packet with a reserved bit flag turned on.  That's damned wierd if it's from
> each an every IP you connect to.  I can't think of a valid reason that would
> cause that to happen.
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list