[Snort-users] weird message in logs

Richard rwitt9 at ...530...
Sat Sep 22 09:29:02 EDT 2001


Weird... but i rebooted and its not doing it anymore. 

On Sat, 2001-09-22 at 09:50, Richard wrote:
> well i am on Cox cable. But i have had it for over a year and the
> messages just started showing up the other day when i upgraded. I know
> that Cox uses a web proxy to connect to one specific site that is for
> Cox users only. But this happens now even when i connect to my work
> email or any other site on the web. I'll go back and look thru my rules
> and see if i have something weird set that i shouldnt.
> 
> rich
> 
> On Sat, 2001-09-22 at 09:04, Erek Adams wrote:
> > On 21 Sep 2001, Richard wrote:
> > 
> > > i recently upgraded to the snort 1.8.1 relase and now in my logs i keep
> > > getting a weird message like
> > >
> > >
> > > snort[25617]: MISC IP Reserved bit set [1:523:1] :  YYY.YYY.YYY.YYY ->
> > > XXX.XXX.XXX.XXX
> > >
> > > everytime i connect to anything .. including a webpage or just even
> > > checking my email. The XXX is my ip and the YYY is the site i am
> > > connecting to. What does this mean? is there something i can do .. other
> > > than commenting out that rule.. that i can change or reconfigure?
> > 
> > 
> > That is odd.  Are you using a proxy or a nat device between you and the world?
> > Perhaps your ISP has a transparent web proxy?
> > 
> > What that is showing is that the site you connected to ( Y ), is sending back
> > a packet with a reserved bit flag turned on.  That's damned wierd if it's from
> > each an every IP you connect to.  I can't think of a valid reason that would
> > cause that to happen.
> > 
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list