[Snort-users] New stream 4 messages in 2.0

Slighter, Tim tslighter at ...5174...
Mon Apr 21 07:11:08 EDT 2003


config disable_ttcp_alerts

-----Original Message-----
From: Chris Green [mailto:cmg at ...1935...]
Sent: Monday, April 21, 2003 7:03 AM
To: Russell Fulton
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] New stream 4 messages in 2.0


Russell Fulton <r.fulton at ...3809...> writes:

> Hi All,
> 	We have just upgraded to 2.0 and are seeing lots of alerts for
these:
>
> (snort_decoder) WARNING: TCP Data Offset is less than 5!
> (snort_decoder): T/TCP Detected
>
> Just what triggers these alerts and is there any way to turn them off?
>
> BTW all the "TCP Data Offset is less than 5!" come from three Akamai
> boxes housed on our DMZ :(  Those things seem to bend all the rules to
> breaking point, sigh...

Mind sending me a packet dump to see what these things are doing? :)

>
>
> The "T/TCP Detected" all seem to be from incoming connections.

2.0.0:
config disable_ttcp_alerts

2.0.x also accepts

config disable_tcpopt_ttcp_alerts

-- 
Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list