[Snort-users] TCP Data Offset is less than 5

Gabriel L. Somlo somlo at ...8241...
Wed Dec 31 11:25:02 EST 2003


I've been getting hammered with this lately:

Signature "[snort] (snort_decoder) WARNING: TCP Data Offset is less than 5!" 

The overwhelming majority of alerts are from hosts that are dialed in
over the modem pool.

We have a /16 -sized network, the modem pool has a /22 subnet of that,
and I'm seeing 1GByte worth of alerts /day from cca. 20 machines on
the modem pool (tens of thousands per machine). The curious thing is
that it's specific to mahines dialed in over the modems, not a peep from
any other box on the network...

Does anyone have an idea what might be happening, and -- what I'd most
like to figure out -- what's the connection with the modems ! :)

Thanks much, and have a Happy New Year !


More information about the Snort-users mailing list