[Snort-users] New stream 4 messages in 2.0

Slighter, Tim tslighter at ...5174...
Mon Apr 21 07:11:08 EDT 2003

config disable_ttcp_alerts

-----Original Message-----
From: Chris Green [mailto:cmg at ...1935...]
Sent: Monday, April 21, 2003 7:03 AM
To: Russell Fulton
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] New stream 4 messages in 2.0

Russell Fulton <r.fulton at ...3809...> writes:

> Hi All,
> 	We have just upgraded to 2.0 and are seeing lots of alerts for
> (snort_decoder) WARNING: TCP Data Offset is less than 5!
> (snort_decoder): T/TCP Detected
> Just what triggers these alerts and is there any way to turn them off?
> BTW all the "TCP Data Offset is less than 5!" come from three Akamai
> boxes housed on our DMZ :(  Those things seem to bend all the rules to
> breaking point, sigh...

Mind sending me a packet dump to see what these things are doing? :)

> The "T/TCP Detected" all seem to be from incoming connections.

config disable_ttcp_alerts

2.0.x also accepts

config disable_tcpopt_ttcp_alerts

Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list