[Snort-users] Snort: WARNING: TCP Data Offset is less than 5!

Matthew Connor M_CONNOR at ...5068...
Wed Jun 25 19:55:09 EDT 2003


Hi all. I saw this on my snort box at my office and now I'm seeing it at
home on my Comcast cable line. Any thoughts?
(My IP is X'ed out, offender's IP is intact)

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/23/03-21:30:48.507915 0:8:21:96:56:7B -> 0:40:10:11:58:58 type:0x800
len:0x56
68.54.242.245:0 -> 65.X.X.X:0 TCP TTL:115 TOS:0x0 ID:18363 IpLen:20
DgmLen:72 DF
1**AP*S* Seq: 0x15C91AE  Ack: 0x3D78DF67  Win: 0x5018  TcpLen: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:33:11.997545 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:9473 IpLen:20
DgmLen:40
12***RSF Seq: 0x3B0000  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:34:24.784228 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:6443 IpLen:20
DgmLen:40
*******F Seq: 0x0  Ack: 0x119946C7  Win: 0x5014  TcpLen: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:34:56.844362 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:54587 IpLen:20
DgmLen:40
******** Seq: 0x0  Ack: 0x119946C7  Win: 0x5014  TcpLen: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Header length exceeds packet length! [**]
06/25/03-11:35:04.986435 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:33344 IpLen:20
DgmLen:40
***A*R** Seq: 0xE90000  Ack: 0x2279  Win: 0x5014  TcpLen: 32

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:35:28.975050 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:38734 IpLen:20
DgmLen:40
12***RSF Seq: 0x900000  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:37:02.195702 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:33922 IpLen:20
DgmLen:40
12***RSF Seq: 0x100000  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:37:18.491995 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:21132 IpLen:20
DgmLen:40
12***RSF Seq: 0x0  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:38:47.651281 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:52410 IpLen:20
DgmLen:40
12***RSF Seq: 0xC30000  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:39:01.470238 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:35266 IpLen:20
DgmLen:40
12***RSF Seq: 0x10000  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:39:12.940392 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:2249 IpLen:20
DgmLen:40
12***RSF Seq: 0x0  Ack: 0xD1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:39:50.613856 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:7901 IpLen:20
DgmLen:40
12***RSF Seq: 0x8EED0000  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:40:51.100937 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:22013 IpLen:20
DgmLen:40
12***RSF Seq: 0x0  Ack: 0xD1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]
06/25/03-11:40:54.817408 0:8:E2:35:D8:8C -> 0:E0:29:53:E0:6B type:0x800
len:0x3C
68.54.242.245:0 -> 68.59.18.148:0 TCP TTL:115 TOS:0x0 ID:13824 IpLen:20
DgmLen:40
12***RSF Seq: 0x0  Ack: 0x1199  Win: 0x5014  TcpLen: 16

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




--Matthew





More information about the Snort-users mailing list