[Snort-users] TCP Data Offset is less than 5
Gabriel L. Somlo
somlo at ...8241...
Wed Dec 31 11:25:02 EST 2003
I've been getting hammered with this lately:
Signature "[snort] (snort_decoder) WARNING: TCP Data Offset is less than 5!"
The overwhelming majority of alerts are from hosts that are dialed in
over the modem pool.
We have a /16 -sized network, the modem pool has a /22 subnet of that,
and I'm seeing 1GByte worth of alerts /day from cca. 20 machines on
the modem pool (tens of thousands per machine). The curious thing is
that it's specific to mahines dialed in over the modems, not a peep from
any other box on the network...
Does anyone have an idea what might be happening, and -- what I'd most
like to figure out -- what's the connection with the modems ! :)
Thanks much, and have a Happy New Year !
More information about the Snort-users