[Snort-users] Some odd traffic.

twig les twigles at ...131...
Fri Dec 12 09:35:03 EST 2003

--- Matt Linton <mlinton at ...10499...> wrote:
> Has anyone seen traffic like this before?  It's a little bit
> odd to see 
> TCP port 0 -> Port 0 across the router. Especially with A and
> R flags, no?
> [**] (snort_decoder) WARNING: TCP Data Offset is less than 5!
> [**]
> 12/11-16:28:18.618241 ->
> TCP TTL:128 TOS:0x0 ID:18920 IpLen:20 DgmLen:136
> *2UA*R** Seq: 0x12502710  Ack: 0x103C225  Win: 0xF437  TcpLen:
> 12  
> UrgPtr: 0xFFFF

I get alerts sometimes and when I check it out it's
our firewall spitting out TCP packets with bad checksums.  May
not be your problem, but worth checking out.  Though I must say
that looking at CAM tables for a specific MAC address on a core
switch sucks.

Get a taste of Religion ... eat a priest!       

Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

More information about the Snort-users mailing list