[Snort-users] New stream 4 messages in 2.0

Chris Green cmg at ...1935...
Mon Apr 21 06:04:09 EDT 2003


Russell Fulton <r.fulton at ...3809...> writes:

> Hi All,
> 	We have just upgraded to 2.0 and are seeing lots of alerts for these:
>
> (snort_decoder) WARNING: TCP Data Offset is less than 5!
> (snort_decoder): T/TCP Detected
>
> Just what triggers these alerts and is there any way to turn them off?
>
> BTW all the "TCP Data Offset is less than 5!" come from three Akamai
> boxes housed on our DMZ :(  Those things seem to bend all the rules to
> breaking point, sigh...

Mind sending me a packet dump to see what these things are doing? :)

>
>
> The "T/TCP Detected" all seem to be from incoming connections.

2.0.0:
config disable_ttcp_alerts

2.0.x also accepts

config disable_tcpopt_ttcp_alerts

-- 
Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list