[Snort-users] odd alert and ip src+dst

Orlando xbud at ...6465...
Sat Jul 27 19:35:04 EDT 2002


=-=-=-=-=-=-=-=-=-=
Jul 26 22:40:50 natas snort[23330]: [1:522:1] MISC Tiny Fragments 
[Classification: Potentially Bad Traffic] [Priority: 2]: {PROTO105} 
111.100.101.101 -> 110.64.103.105

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jul 26 22:41:33 natas snort[23330]: [!] WARNING: TCP Data Offset 2 < 5  
Jul 26 22:40:50 natas snort[23330]: [1:522:1] MISC Tiny Fragments 
[Classification: Potentially Bad Traffic] [Priority: 2]: {PROTO105} 
111.100.101.101 -> 110.64.103.105


this was on an internal network, a relatively small internal network and no 
traces of a breach were found anywhere.

no internal machines were scanned, and no arp requests from any unknown MAC 
addresses were discovered.

I'm wondering if this is a bug in snort?  and If anyone else has encountered 
this problem ?

the internal network consists of an Irix box , 2 linux servers, one Linux 
gateway , an access point and 2 workstations,  1 NT and 1 XP.

An internal and IDS was placed because of the AP, but the key is 128 bit wep, 
and changed every 6 days or so.

yes we are a bit paranoid : )

if you respond CC me please, I'm not subscribed to the list.

snort box 
debian 2.2r3 latest patches.
snort 1.8.7 default sigs.
options are -dve -D -s -l <dir> -c snort.conf (slightly modified from default)

--
------------------------------
Orlando Padilla
http://www.g0thead.com/xbud.asc
'A woman drove me to drink and I didn't 
even have the courtesy to thank her' -wa
------------------------------




More information about the Snort-users mailing list