[Snort-users] Truncated TCP Options

Paul Schmehl pauls at ...6838...
Sun Jul 27 13:59:06 EDT 2003


I got a bunch of these today, so I did some research on them, including
the mailing list archives and the RFCs.  Can't say I *fully* understand
them, and a question has arisen that I need an answer to.

In looking at the ACID display of these alerts, I noticed that there
*is* an options field displayed, but it's empty (it actually reads
"none").  Is this a problem with ACID not parsing the data correctly? 
(I assume that's the most likely cause.)  Or is snort not reporting the
options even though it detects that there's a problem with them?

Another thing that I noticed is that the src is one of our web servers
and the dest is the same address for over 8700 of the alerts.  Anyone
want to speculate as to what the cause might be?  The server is a
Solaris box running Apache, and I'm sure it's not misconfigured.  Could
a bad request from a client cause this kind of alert?

-- 
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/





More information about the Snort-users mailing list