[Snort-users] Some odd traffic.

twig les twigles at ...131...
Fri Dec 12 09:35:03 EST 2003


--- Matt Linton <mlinton at ...10499...> wrote:
> Has anyone seen traffic like this before?  It's a little bit
> odd to see 
> TCP port 0 -> Port 0 across the router. Especially with A and
> R flags, no?
> 
> [**] (snort_decoder) WARNING: TCP Data Offset is less than 5!
> [**]
> 12/11-16:28:18.618241 192.168.20.81:0 -> 10.0.2.5:0
> TCP TTL:128 TOS:0x0 ID:18920 IpLen:20 DgmLen:136
> *2UA*R** Seq: 0x12502710  Ack: 0x103C225  Win: 0xF437  TcpLen:
> 12  
> UrgPtr: 0xFFFF
> 

I get 0.0.0.0:0 alerts sometimes and when I check it out it's
our firewall spitting out TCP packets with bad checksums.  May
not be your problem, but worth checking out.  Though I must say
that looking at CAM tables for a specific MAC address on a core
switch sucks.

=====
-----------------------------------------------------------
Get a taste of Religion ... eat a priest!       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree




More information about the Snort-users mailing list