[Snort-users] weird message in logs
rwitt9 at ...530...
Sat Sep 22 07:24:02 EDT 2001
well i am on Cox cable. But i have had it for over a year and the
messages just started showing up the other day when i upgraded. I know
that Cox uses a web proxy to connect to one specific site that is for
Cox users only. But this happens now even when i connect to my work
email or any other site on the web. I'll go back and look thru my rules
and see if i have something weird set that i shouldnt.
On Sat, 2001-09-22 at 09:04, Erek Adams wrote:
> On 21 Sep 2001, Richard wrote:
> > i recently upgraded to the snort 1.8.1 relase and now in my logs i keep
> > getting a weird message like
> > snort: MISC IP Reserved bit set [1:523:1] : YYY.YYY.YYY.YYY ->
> > XXX.XXX.XXX.XXX
> > everytime i connect to anything .. including a webpage or just even
> > checking my email. The XXX is my ip and the YYY is the site i am
> > connecting to. What does this mean? is there something i can do .. other
> > than commenting out that rule.. that i can change or reconfigure?
> That is odd. Are you using a proxy or a nat device between you and the world?
> Perhaps your ISP has a transparent web proxy?
> What that is showing is that the site you connected to ( Y ), is sending back
> a packet with a reserved bit flag turned on. That's damned wierd if it's from
> each an every IP you connect to. I can't think of a valid reason that would
> cause that to happen.
> Erek Adams
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users